[PATCH 0/1] Perl: Fix CVE-2016-2381

[PATCH 0/1] Perl: Fix CVE-2016-2381

[Leo Famulari]

This grafts perl to fix CVE-2016-2381 [0], in which environment
variables declared more than once are handled ambiguously.

[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
https://security-tracker.debian.org/tracker/CVE-2016-2381

Leo Famulari (1):
  gnu: perl: Replace with patched version [fixes CVE-2016-2381].

 gnu-system.am                                 |   1 +
 gnu/packages/commencement.scm                 |   1 +
 gnu/packages/patches/perl-CVE-2016-2381.patch | 116 ++++++++++++++++++++++++++
 gnu/packages/perl.scm                         |  23 +++++
 4 files changed, 141 insertions(+)
 create mode 100644 gnu/packages/patches/perl-CVE-2016-2381.patch

-- 
2.7.1

[PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381].

[Leo Famulari]

* gnu/packages/patches/perl-CVE-2016-2381.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/perl.scm (perl)[replacement]: New field.
(perl-5.22.1-2): New variable.
* gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.
---
 gnu-system.am                                 |   1 +
 gnu/packages/commencement.scm                 |   1 +
 gnu/packages/patches/perl-CVE-2016-2381.patch | 116 ++++++++++++++++++++++++++
 gnu/packages/perl.scm                         |  23 +++++
 4 files changed, 141 insertions(+)
 create mode 100644 gnu/packages/patches/perl-CVE-2016-2381.patch

diff --git a/gnu-system.am b/gnu-system.am
index 526e991..9cf2194 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -640,6 +640,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   gnu/packages/patches/patch-hurd-path-max.patch		\
   gnu/packages/patches/perl-CVE-2015-8607.patch			\
+  gnu/packages/patches/perl-CVE-2016-2381.patch			\
   gnu/packages/patches/perl-autosplit-default-time.patch	\
   gnu/packages/patches/perl-deterministic-ordering.patch	\
   gnu/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 1928360..80a83aa 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -268,6 +268,7 @@
   (let ((perl (package
                 (inherit perl)
                 (name "perl-boot0")
+                (replacement #f)
                 (arguments
                  (substitute-keyword-arguments (package-arguments perl)
                    ((#:phases phases)
diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch
new file mode 100644
index 0000000..2c913b8
--- /dev/null
+++ b/gnu/packages/patches/perl-CVE-2016-2381.patch
@@ -0,0 +1,116 @@
+Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
+
+Copied from Debian:
+https://sources.debian.net/src/perl/5.22.1-8/debian/patches/fixes/CVE-2016-2381_duplicate_env.diff/
+
+References:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
+http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
+https://security-tracker.debian.org/tracker/CVE-2016-2381
+
+---
+
+From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 27 Jan 2016 11:52:15 +1100
+Subject: remove duplicate environment variables from environ
+
+If we see duplicate environment variables while iterating over
+environ[]:
+
+a) make sure we use the same value in %ENV that getenv() returns.
+
+Previously on a duplicate, %ENV would have the last entry for the name
+from environ[], but a typical getenv() would return the first entry.
+
+Rather than assuming all getenv() implementations return the first entry
+explicitly call getenv() to ensure they agree.
+
+b) remove duplicate entries from environ
+
+Previously if there was a duplicate definition for a name in environ[]
+setting that name in %ENV could result in an unsafe value being passed
+to a child process, so ensure environ[] has no duplicates.
+
+Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
+---
+ perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 49 insertions(+), 2 deletions(-)
+
+diff --git a/perl.c b/perl.c
+index 67d32ce..26aeb91 100644
+--- a/perl.c
++++ b/perl.c
+@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
+ 	}
+ 	if (env) {
+ 	  char *s, *old_var;
++          STRLEN nlen;
+ 	  SV *sv;
++          HV *dups = newHV();
++
+ 	  for (; *env; env++) {
+ 	    old_var = *env;
+ 
+ 	    if (!(s = strchr(old_var,'=')) || s == old_var)
+ 		continue;
++            nlen = s - old_var;
+ 
+ #if defined(MSDOS) && !defined(DJGPP)
+ 	    *s = '\0';
+ 	    (void)strupr(old_var);
+ 	    *s = '=';
+ #endif
+-	    sv = newSVpv(s+1, 0);
+-	    (void)hv_store(hv, old_var, s - old_var, sv, 0);
++            if (hv_exists(hv, old_var, nlen)) {
++                const char *name = savepvn(old_var, nlen);
++
++                /* make sure we use the same value as getenv(), otherwise code that
++                   uses getenv() (like setlocale()) might see a different value to %ENV
++                 */
++                sv = newSVpv(PerlEnv_getenv(name), 0);
++
++                /* keep a count of the dups of this name so we can de-dup environ later */
++                if (hv_exists(dups, name, nlen))
++                    ++SvIVX(*hv_fetch(dups, name, nlen, 0));
++                else
++                    (void)hv_store(dups, name, nlen, newSViv(1), 0);
++
++                Safefree(name);
++            }
++            else {
++                sv = newSVpv(s+1, 0);
++            }
++	    (void)hv_store(hv, old_var, nlen, sv, 0);
+ 	    if (env_is_not_environ)
+ 	        mg_set(sv);
+ 	  }
++          if (HvKEYS(dups)) {
++              /* environ has some duplicate definitions, remove them */
++              HE *entry;
++              hv_iterinit(dups);
++              while ((entry = hv_iternext_flags(dups, 0))) {
++                  STRLEN nlen;
++                  const char *name = HePV(entry, nlen);
++                  IV count = SvIV(HeVAL(entry));
++                  IV i;
++                  SV **valp = hv_fetch(hv, name, nlen, 0);
++
++                  assert(valp);
++
++                  /* try to remove any duplicate names, depending on the
++                   * implementation used in my_setenv() the iteration might
++                   * not be necessary, but let's be safe.
++                   */
++                  for (i = 0; i < count; ++i)
++                      my_setenv(name, 0);
++
++                  /* and set it back to the value we set $ENV{name} to */
++                  my_setenv(name, SvPV_nolen(*valp));
++              }
++          }
++          SvREFCNT_dec_NN(dups);
+       }
+ #endif /* USE_ENVIRON_ARRAY */
+ #endif /* !PERL_MICRO */
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 6ca62aa..d67870f 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -37,6 +37,7 @@
 (define-public perl
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
+    (replacement perl-fixed)
     (name "perl")
     (version "5.22.1")
     (source (origin
@@ -114,6 +115,28 @@
     (home-page "http://www.perl.org/")
     (license gpl1+)))                          ; or "Artistic"
 
+(define perl-fixed
+  (package
+    (inherit perl)
+    (replacement #f)
+    (source
+      (let ((name "perl") (version "5.22.1"))
+        (origin
+          (method url-fetch)
+          (uri (string-append "http://www.cpan.org/src/5.0/perl-"
+                              version ".tar.gz"))
+          (sha256
+           (base32
+            "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb"))
+          (patches (map search-patch
+                        '("perl-no-sys-dirs.patch"
+                          "perl-autosplit-default-time.patch"
+                          "perl-source-date-epoch.patch"
+                          "perl-deterministic-ordering.patch"
+                          "perl-no-build-time.patch"
+                          "perl-CVE-2015-8607.patch"
+                          "perl-CVE-2016-2381.patch"))))))))
+
 (define-public perl-algorithm-c3
   (package
     (name "perl-algorithm-c3")
-- 
2.7.1

Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381].

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/perl-CVE-2016-2381.patch: New file.
> * gnu-system.am (dist_patch_DATA): Add it.
> * gnu/packages/perl.scm (perl)[replacement]: New field.
> (perl-5.22.1-2): New variable.

Should be ‘perl-fixed’.

> * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.

Otherwise LGTM, as long as you confirm that nothing goes really wrong
once it’s applied.  :-)

Ludo’.

Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381].

[Leo Famulari]

On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/patches/perl-CVE-2016-2381.patch: New file.
> > * gnu-system.am (dist_patch_DATA): Add it.
> > * gnu/packages/perl.scm (perl)[replacement]: New field.
> > (perl-5.22.1-2): New variable.
> 
> Should be ‘perl-fixed’.

Done. I also altered the context of the patch to reflect that its
source is actually upstream Perl, although Debian did cherry-pick it.

> 
> > * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.
> 
> Otherwise LGTM, as long as you confirm that nothing goes really wrong
> once it’s applied.  :-)

Here are some things I tried:

1) Built and booted a VM with `guix system vm`. I don't know if perl (as
opposed to perl-boot0) is used in this process, but it did work.

2) Built and installed git on top of it, and then rolled back the commit
and used `git add -i` to recreate it, and then `git send-email` to
submit it. Both of those tools are Perl scripts.

https://git.kernel.org/cgit/git/git.git/tree/git-add--interactive.perl
https://git.kernel.org/cgit/git/git.git/tree/git-send-email.perl

Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381].

[Leo Famulari]

On Wed, Mar 02, 2016 at 11:06:13PM -0500, Leo Famulari wrote:
> On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> > 
> > > * gnu/packages/patches/perl-CVE-2016-2381.patch: New file.
> > > * gnu-system.am (dist_patch_DATA): Add it.
> > > * gnu/packages/perl.scm (perl)[replacement]: New field.
> > > (perl-5.22.1-2): New variable.
> > 
> > Should be ‘perl-fixed’.
> 
> Done. I also altered the context of the patch to reflect that its
> source is actually upstream Perl, although Debian did cherry-pick it.
> 
> > 
> > > * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.
> > 
> > Otherwise LGTM, as long as you confirm that nothing goes really wrong
> > once it’s applied.  :-)
> 
> Here are some things I tried:
> 
> 1) Built and booted a VM with `guix system vm`. I don't know if perl (as
> opposed to perl-boot0) is used in this process, but it did work.
> 
> 2) Built and installed git on top of it, and then rolled back the commit
> and used `git add -i` to recreate it, and then `git send-email` to
> submit it. Both of those tools are Perl scripts.

By "on top of it" I mean on top of this patch, not on the VM.

> 
> https://git.kernel.org/cgit/git/git.git/tree/git-add--interactive.perl
> https://git.kernel.org/cgit/git/git.git/tree/git-send-email.perl

Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381].

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote:

[...]

>> Otherwise LGTM, as long as you confirm that nothing goes really wrong
>> once it’s applied.  :-)
>
> Here are some things I tried:
>
> 1) Built and booted a VM with `guix system vm`. I don't know if perl (as
> opposed to perl-boot0) is used in this process, but it did work.
>
> 2) Built and installed git on top of it, and then rolled back the commit
> and used `git add -i` to recreate it, and then `git send-email` to
> submit it. Both of those tools are Perl scripts.

These do sound like good tests.  :-)

Ludo’.