* [PATCH 0/1] Perl: Fix CVE-2016-2381 @ 2016-03-02 19:48 Leo Famulari 2016-03-02 19:48 ` [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381] Leo Famulari 0 siblings, 1 reply; 6+ messages in thread From: Leo Famulari @ 2016-03-02 19:48 UTC (permalink / raw) To: guix-devel This grafts perl to fix CVE-2016-2381 [0], in which environment variables declared more than once are handled ambiguously. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html https://security-tracker.debian.org/tracker/CVE-2016-2381 Leo Famulari (1): gnu: perl: Replace with patched version [fixes CVE-2016-2381]. gnu-system.am | 1 + gnu/packages/commencement.scm | 1 + gnu/packages/patches/perl-CVE-2016-2381.patch | 116 ++++++++++++++++++++++++++ gnu/packages/perl.scm | 23 +++++ 4 files changed, 141 insertions(+) create mode 100644 gnu/packages/patches/perl-CVE-2016-2381.patch -- 2.7.1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381]. 2016-03-02 19:48 [PATCH 0/1] Perl: Fix CVE-2016-2381 Leo Famulari @ 2016-03-02 19:48 ` Leo Famulari 2016-03-02 21:52 ` Ludovic Courtès 0 siblings, 1 reply; 6+ messages in thread From: Leo Famulari @ 2016-03-02 19:48 UTC (permalink / raw) To: guix-devel * gnu/packages/patches/perl-CVE-2016-2381.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/perl.scm (perl)[replacement]: New field. (perl-5.22.1-2): New variable. * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field. --- gnu-system.am | 1 + gnu/packages/commencement.scm | 1 + gnu/packages/patches/perl-CVE-2016-2381.patch | 116 ++++++++++++++++++++++++++ gnu/packages/perl.scm | 23 +++++ 4 files changed, 141 insertions(+) create mode 100644 gnu/packages/patches/perl-CVE-2016-2381.patch diff --git a/gnu-system.am b/gnu-system.am index 526e991..9cf2194 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -640,6 +640,7 @@ dist_patch_DATA = \ gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \ gnu/packages/patches/patch-hurd-path-max.patch \ gnu/packages/patches/perl-CVE-2015-8607.patch \ + gnu/packages/patches/perl-CVE-2016-2381.patch \ gnu/packages/patches/perl-autosplit-default-time.patch \ gnu/packages/patches/perl-deterministic-ordering.patch \ gnu/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index 1928360..80a83aa 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -268,6 +268,7 @@ (let ((perl (package (inherit perl) (name "perl-boot0") + (replacement #f) (arguments (substitute-keyword-arguments (package-arguments perl) ((#:phases phases) diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch new file mode 100644 index 0000000..2c913b8 --- /dev/null +++ b/gnu/packages/patches/perl-CVE-2016-2381.patch @@ -0,0 +1,116 @@ +Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables). + +Copied from Debian: +https://sources.debian.net/src/perl/5.22.1-8/debian/patches/fixes/CVE-2016-2381_duplicate_env.diff/ + +References: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 +http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html +https://security-tracker.debian.org/tracker/CVE-2016-2381 + +--- + +From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001 +From: Tony Cook <tony@develop-help.com> +Date: Wed, 27 Jan 2016 11:52:15 +1100 +Subject: remove duplicate environment variables from environ + +If we see duplicate environment variables while iterating over +environ[]: + +a) make sure we use the same value in %ENV that getenv() returns. + +Previously on a duplicate, %ENV would have the last entry for the name +from environ[], but a typical getenv() would return the first entry. + +Rather than assuming all getenv() implementations return the first entry +explicitly call getenv() to ensure they agree. + +b) remove duplicate entries from environ + +Previously if there was a duplicate definition for a name in environ[] +setting that name in %ENV could result in an unsafe value being passed +to a child process, so ensure environ[] has no duplicates. + +Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff +--- + perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 49 insertions(+), 2 deletions(-) + +diff --git a/perl.c b/perl.c +index 67d32ce..26aeb91 100644 +--- a/perl.c ++++ b/perl.c +@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env) + } + if (env) { + char *s, *old_var; ++ STRLEN nlen; + SV *sv; ++ HV *dups = newHV(); ++ + for (; *env; env++) { + old_var = *env; + + if (!(s = strchr(old_var,'=')) || s == old_var) + continue; ++ nlen = s - old_var; + + #if defined(MSDOS) && !defined(DJGPP) + *s = '\0'; + (void)strupr(old_var); + *s = '='; + #endif +- sv = newSVpv(s+1, 0); +- (void)hv_store(hv, old_var, s - old_var, sv, 0); ++ if (hv_exists(hv, old_var, nlen)) { ++ const char *name = savepvn(old_var, nlen); ++ ++ /* make sure we use the same value as getenv(), otherwise code that ++ uses getenv() (like setlocale()) might see a different value to %ENV ++ */ ++ sv = newSVpv(PerlEnv_getenv(name), 0); ++ ++ /* keep a count of the dups of this name so we can de-dup environ later */ ++ if (hv_exists(dups, name, nlen)) ++ ++SvIVX(*hv_fetch(dups, name, nlen, 0)); ++ else ++ (void)hv_store(dups, name, nlen, newSViv(1), 0); ++ ++ Safefree(name); ++ } ++ else { ++ sv = newSVpv(s+1, 0); ++ } ++ (void)hv_store(hv, old_var, nlen, sv, 0); + if (env_is_not_environ) + mg_set(sv); + } ++ if (HvKEYS(dups)) { ++ /* environ has some duplicate definitions, remove them */ ++ HE *entry; ++ hv_iterinit(dups); ++ while ((entry = hv_iternext_flags(dups, 0))) { ++ STRLEN nlen; ++ const char *name = HePV(entry, nlen); ++ IV count = SvIV(HeVAL(entry)); ++ IV i; ++ SV **valp = hv_fetch(hv, name, nlen, 0); ++ ++ assert(valp); ++ ++ /* try to remove any duplicate names, depending on the ++ * implementation used in my_setenv() the iteration might ++ * not be necessary, but let's be safe. ++ */ ++ for (i = 0; i < count; ++i) ++ my_setenv(name, 0); ++ ++ /* and set it back to the value we set $ENV{name} to */ ++ my_setenv(name, SvPV_nolen(*valp)); ++ } ++ } ++ SvREFCNT_dec_NN(dups); + } + #endif /* USE_ENVIRON_ARRAY */ + #endif /* !PERL_MICRO */ diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index 6ca62aa..d67870f 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -37,6 +37,7 @@ (define-public perl ;; Yeah, Perl... It is required early in the bootstrap process by Linux. (package + (replacement perl-fixed) (name "perl") (version "5.22.1") (source (origin @@ -114,6 +115,28 @@ (home-page "http://www.perl.org/") (license gpl1+))) ; or "Artistic" +(define perl-fixed + (package + (inherit perl) + (replacement #f) + (source + (let ((name "perl") (version "5.22.1")) + (origin + (method url-fetch) + (uri (string-append "http://www.cpan.org/src/5.0/perl-" + version ".tar.gz")) + (sha256 + (base32 + "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb")) + (patches (map search-patch + '("perl-no-sys-dirs.patch" + "perl-autosplit-default-time.patch" + "perl-source-date-epoch.patch" + "perl-deterministic-ordering.patch" + "perl-no-build-time.patch" + "perl-CVE-2015-8607.patch" + "perl-CVE-2016-2381.patch")))))))) + (define-public perl-algorithm-c3 (package (name "perl-algorithm-c3") -- 2.7.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381]. 2016-03-02 19:48 ` [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381] Leo Famulari @ 2016-03-02 21:52 ` Ludovic Courtès 2016-03-03 4:06 ` Leo Famulari 0 siblings, 1 reply; 6+ messages in thread From: Ludovic Courtès @ 2016-03-02 21:52 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > * gnu/packages/patches/perl-CVE-2016-2381.patch: New file. > * gnu-system.am (dist_patch_DATA): Add it. > * gnu/packages/perl.scm (perl)[replacement]: New field. > (perl-5.22.1-2): New variable. Should be ‘perl-fixed’. > * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field. Otherwise LGTM, as long as you confirm that nothing goes really wrong once it’s applied. :-) Ludo’. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381]. 2016-03-02 21:52 ` Ludovic Courtès @ 2016-03-03 4:06 ` Leo Famulari 2016-03-03 5:52 ` Leo Famulari 2016-03-03 16:33 ` Ludovic Courtès 0 siblings, 2 replies; 6+ messages in thread From: Leo Famulari @ 2016-03-03 4:06 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > * gnu/packages/patches/perl-CVE-2016-2381.patch: New file. > > * gnu-system.am (dist_patch_DATA): Add it. > > * gnu/packages/perl.scm (perl)[replacement]: New field. > > (perl-5.22.1-2): New variable. > > Should be ‘perl-fixed’. Done. I also altered the context of the patch to reflect that its source is actually upstream Perl, although Debian did cherry-pick it. > > > * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field. > > Otherwise LGTM, as long as you confirm that nothing goes really wrong > once it’s applied. :-) Here are some things I tried: 1) Built and booted a VM with `guix system vm`. I don't know if perl (as opposed to perl-boot0) is used in this process, but it did work. 2) Built and installed git on top of it, and then rolled back the commit and used `git add -i` to recreate it, and then `git send-email` to submit it. Both of those tools are Perl scripts. https://git.kernel.org/cgit/git/git.git/tree/git-add--interactive.perl https://git.kernel.org/cgit/git/git.git/tree/git-send-email.perl ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381]. 2016-03-03 4:06 ` Leo Famulari @ 2016-03-03 5:52 ` Leo Famulari 2016-03-03 16:33 ` Ludovic Courtès 1 sibling, 0 replies; 6+ messages in thread From: Leo Famulari @ 2016-03-03 5:52 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Wed, Mar 02, 2016 at 11:06:13PM -0500, Leo Famulari wrote: > On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote: > > Leo Famulari <leo@famulari.name> skribis: > > > > > * gnu/packages/patches/perl-CVE-2016-2381.patch: New file. > > > * gnu-system.am (dist_patch_DATA): Add it. > > > * gnu/packages/perl.scm (perl)[replacement]: New field. > > > (perl-5.22.1-2): New variable. > > > > Should be ‘perl-fixed’. > > Done. I also altered the context of the patch to reflect that its > source is actually upstream Perl, although Debian did cherry-pick it. > > > > > > * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field. > > > > Otherwise LGTM, as long as you confirm that nothing goes really wrong > > once it’s applied. :-) > > Here are some things I tried: > > 1) Built and booted a VM with `guix system vm`. I don't know if perl (as > opposed to perl-boot0) is used in this process, but it did work. > > 2) Built and installed git on top of it, and then rolled back the commit > and used `git add -i` to recreate it, and then `git send-email` to > submit it. Both of those tools are Perl scripts. By "on top of it" I mean on top of this patch, not on the VM. > > https://git.kernel.org/cgit/git/git.git/tree/git-add--interactive.perl > https://git.kernel.org/cgit/git/git.git/tree/git-send-email.perl ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381]. 2016-03-03 4:06 ` Leo Famulari 2016-03-03 5:52 ` Leo Famulari @ 2016-03-03 16:33 ` Ludovic Courtès 1 sibling, 0 replies; 6+ messages in thread From: Ludovic Courtès @ 2016-03-03 16:33 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote: [...] >> Otherwise LGTM, as long as you confirm that nothing goes really wrong >> once it’s applied. :-) > > Here are some things I tried: > > 1) Built and booted a VM with `guix system vm`. I don't know if perl (as > opposed to perl-boot0) is used in this process, but it did work. > > 2) Built and installed git on top of it, and then rolled back the commit > and used `git add -i` to recreate it, and then `git send-email` to > submit it. Both of those tools are Perl scripts. These do sound like good tests. :-) Ludo’. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-03-03 16:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-03-02 19:48 [PATCH 0/1] Perl: Fix CVE-2016-2381 Leo Famulari 2016-03-02 19:48 ` [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381] Leo Famulari 2016-03-02 21:52 ` Ludovic Courtès 2016-03-03 4:06 ` Leo Famulari 2016-03-03 5:52 ` Leo Famulari 2016-03-03 16:33 ` Ludovic Courtès
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.