gnu: perl: Replace with patched version [fixes CVE-2016-2381].
* gnu/packages/patches/perl-CVE-2016-2381.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/perl.scm (perl)[replacement]: New field. (perl-fixed): New variable. * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.
This commit is contained in:
parent
7b3f2682de
commit
d8173f21f7
|
@ -641,6 +641,7 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \
|
||||
gnu/packages/patches/patch-hurd-path-max.patch \
|
||||
gnu/packages/patches/perl-CVE-2015-8607.patch \
|
||||
gnu/packages/patches/perl-CVE-2016-2381.patch \
|
||||
gnu/packages/patches/perl-autosplit-default-time.patch \
|
||||
gnu/packages/patches/perl-deterministic-ordering.patch \
|
||||
gnu/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
|
||||
|
|
|
@ -268,6 +268,7 @@
|
|||
(let ((perl (package
|
||||
(inherit perl)
|
||||
(name "perl-boot0")
|
||||
(replacement #f)
|
||||
(arguments
|
||||
(substitute-keyword-arguments (package-arguments perl)
|
||||
((#:phases phases)
|
||||
|
|
|
@ -0,0 +1,116 @@
|
|||
Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
|
||||
|
||||
Copied from upstream:
|
||||
http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076
|
||||
|
||||
References:
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
|
||||
http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
|
||||
https://security-tracker.debian.org/tracker/CVE-2016-2381
|
||||
|
||||
---
|
||||
|
||||
From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Wed, 27 Jan 2016 11:52:15 +1100
|
||||
Subject: remove duplicate environment variables from environ
|
||||
|
||||
If we see duplicate environment variables while iterating over
|
||||
environ[]:
|
||||
|
||||
a) make sure we use the same value in %ENV that getenv() returns.
|
||||
|
||||
Previously on a duplicate, %ENV would have the last entry for the name
|
||||
from environ[], but a typical getenv() would return the first entry.
|
||||
|
||||
Rather than assuming all getenv() implementations return the first entry
|
||||
explicitly call getenv() to ensure they agree.
|
||||
|
||||
b) remove duplicate entries from environ
|
||||
|
||||
Previously if there was a duplicate definition for a name in environ[]
|
||||
setting that name in %ENV could result in an unsafe value being passed
|
||||
to a child process, so ensure environ[] has no duplicates.
|
||||
|
||||
Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
|
||||
---
|
||||
perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 49 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/perl.c b/perl.c
|
||||
index 67d32ce..26aeb91 100644
|
||||
--- a/perl.c
|
||||
+++ b/perl.c
|
||||
@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
|
||||
}
|
||||
if (env) {
|
||||
char *s, *old_var;
|
||||
+ STRLEN nlen;
|
||||
SV *sv;
|
||||
+ HV *dups = newHV();
|
||||
+
|
||||
for (; *env; env++) {
|
||||
old_var = *env;
|
||||
|
||||
if (!(s = strchr(old_var,'=')) || s == old_var)
|
||||
continue;
|
||||
+ nlen = s - old_var;
|
||||
|
||||
#if defined(MSDOS) && !defined(DJGPP)
|
||||
*s = '\0';
|
||||
(void)strupr(old_var);
|
||||
*s = '=';
|
||||
#endif
|
||||
- sv = newSVpv(s+1, 0);
|
||||
- (void)hv_store(hv, old_var, s - old_var, sv, 0);
|
||||
+ if (hv_exists(hv, old_var, nlen)) {
|
||||
+ const char *name = savepvn(old_var, nlen);
|
||||
+
|
||||
+ /* make sure we use the same value as getenv(), otherwise code that
|
||||
+ uses getenv() (like setlocale()) might see a different value to %ENV
|
||||
+ */
|
||||
+ sv = newSVpv(PerlEnv_getenv(name), 0);
|
||||
+
|
||||
+ /* keep a count of the dups of this name so we can de-dup environ later */
|
||||
+ if (hv_exists(dups, name, nlen))
|
||||
+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
|
||||
+ else
|
||||
+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
|
||||
+
|
||||
+ Safefree(name);
|
||||
+ }
|
||||
+ else {
|
||||
+ sv = newSVpv(s+1, 0);
|
||||
+ }
|
||||
+ (void)hv_store(hv, old_var, nlen, sv, 0);
|
||||
if (env_is_not_environ)
|
||||
mg_set(sv);
|
||||
}
|
||||
+ if (HvKEYS(dups)) {
|
||||
+ /* environ has some duplicate definitions, remove them */
|
||||
+ HE *entry;
|
||||
+ hv_iterinit(dups);
|
||||
+ while ((entry = hv_iternext_flags(dups, 0))) {
|
||||
+ STRLEN nlen;
|
||||
+ const char *name = HePV(entry, nlen);
|
||||
+ IV count = SvIV(HeVAL(entry));
|
||||
+ IV i;
|
||||
+ SV **valp = hv_fetch(hv, name, nlen, 0);
|
||||
+
|
||||
+ assert(valp);
|
||||
+
|
||||
+ /* try to remove any duplicate names, depending on the
|
||||
+ * implementation used in my_setenv() the iteration might
|
||||
+ * not be necessary, but let's be safe.
|
||||
+ */
|
||||
+ for (i = 0; i < count; ++i)
|
||||
+ my_setenv(name, 0);
|
||||
+
|
||||
+ /* and set it back to the value we set $ENV{name} to */
|
||||
+ my_setenv(name, SvPV_nolen(*valp));
|
||||
+ }
|
||||
+ }
|
||||
+ SvREFCNT_dec_NN(dups);
|
||||
}
|
||||
#endif /* USE_ENVIRON_ARRAY */
|
||||
#endif /* !PERL_MICRO */
|
|
@ -37,6 +37,7 @@
|
|||
(define-public perl
|
||||
;; Yeah, Perl... It is required early in the bootstrap process by Linux.
|
||||
(package
|
||||
(replacement perl-fixed)
|
||||
(name "perl")
|
||||
(version "5.22.1")
|
||||
(source (origin
|
||||
|
@ -114,6 +115,28 @@
|
|||
(home-page "http://www.perl.org/")
|
||||
(license gpl1+))) ; or "Artistic"
|
||||
|
||||
(define perl-fixed
|
||||
(package
|
||||
(inherit perl)
|
||||
(replacement #f)
|
||||
(source
|
||||
(let ((name "perl") (version "5.22.1"))
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "http://www.cpan.org/src/5.0/perl-"
|
||||
version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb"))
|
||||
(patches (map search-patch
|
||||
'("perl-no-sys-dirs.patch"
|
||||
"perl-autosplit-default-time.patch"
|
||||
"perl-source-date-epoch.patch"
|
||||
"perl-deterministic-ordering.patch"
|
||||
"perl-no-build-time.patch"
|
||||
"perl-CVE-2015-8607.patch"
|
||||
"perl-CVE-2016-2381.patch"))))))))
|
||||
|
||||
(define-public perl-algorithm-c3
|
||||
(package
|
||||
(name "perl-algorithm-c3")
|
||||
|
|
Loading…
Reference in New Issue