From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381].
Date: Wed, 2 Mar 2016 14:48:07 -0500 [thread overview]
Message-ID: <92cf16de48838de4d9d060886f0bc9915e8f52e1.1456947844.git.leo@famulari.name> (raw)
In-Reply-To: <cover.1456947844.git.leo@famulari.name>
In-Reply-To: <cover.1456947844.git.leo@famulari.name>
* gnu/packages/patches/perl-CVE-2016-2381.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/perl.scm (perl)[replacement]: New field.
(perl-5.22.1-2): New variable.
* gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.
---
gnu-system.am | 1 +
gnu/packages/commencement.scm | 1 +
gnu/packages/patches/perl-CVE-2016-2381.patch | 116 ++++++++++++++++++++++++++
gnu/packages/perl.scm | 23 +++++
4 files changed, 141 insertions(+)
create mode 100644 gnu/packages/patches/perl-CVE-2016-2381.patch
diff --git a/gnu-system.am b/gnu-system.am
index 526e991..9cf2194 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -640,6 +640,7 @@ dist_patch_DATA = \
gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \
gnu/packages/patches/patch-hurd-path-max.patch \
gnu/packages/patches/perl-CVE-2015-8607.patch \
+ gnu/packages/patches/perl-CVE-2016-2381.patch \
gnu/packages/patches/perl-autosplit-default-time.patch \
gnu/packages/patches/perl-deterministic-ordering.patch \
gnu/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 1928360..80a83aa 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -268,6 +268,7 @@
(let ((perl (package
(inherit perl)
(name "perl-boot0")
+ (replacement #f)
(arguments
(substitute-keyword-arguments (package-arguments perl)
((#:phases phases)
diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch
new file mode 100644
index 0000000..2c913b8
--- /dev/null
+++ b/gnu/packages/patches/perl-CVE-2016-2381.patch
@@ -0,0 +1,116 @@
+Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
+
+Copied from Debian:
+https://sources.debian.net/src/perl/5.22.1-8/debian/patches/fixes/CVE-2016-2381_duplicate_env.diff/
+
+References:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
+http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
+https://security-tracker.debian.org/tracker/CVE-2016-2381
+
+---
+
+From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 27 Jan 2016 11:52:15 +1100
+Subject: remove duplicate environment variables from environ
+
+If we see duplicate environment variables while iterating over
+environ[]:
+
+a) make sure we use the same value in %ENV that getenv() returns.
+
+Previously on a duplicate, %ENV would have the last entry for the name
+from environ[], but a typical getenv() would return the first entry.
+
+Rather than assuming all getenv() implementations return the first entry
+explicitly call getenv() to ensure they agree.
+
+b) remove duplicate entries from environ
+
+Previously if there was a duplicate definition for a name in environ[]
+setting that name in %ENV could result in an unsafe value being passed
+to a child process, so ensure environ[] has no duplicates.
+
+Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
+---
+ perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 49 insertions(+), 2 deletions(-)
+
+diff --git a/perl.c b/perl.c
+index 67d32ce..26aeb91 100644
+--- a/perl.c
++++ b/perl.c
+@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
+ }
+ if (env) {
+ char *s, *old_var;
++ STRLEN nlen;
+ SV *sv;
++ HV *dups = newHV();
++
+ for (; *env; env++) {
+ old_var = *env;
+
+ if (!(s = strchr(old_var,'=')) || s == old_var)
+ continue;
++ nlen = s - old_var;
+
+ #if defined(MSDOS) && !defined(DJGPP)
+ *s = '\0';
+ (void)strupr(old_var);
+ *s = '=';
+ #endif
+- sv = newSVpv(s+1, 0);
+- (void)hv_store(hv, old_var, s - old_var, sv, 0);
++ if (hv_exists(hv, old_var, nlen)) {
++ const char *name = savepvn(old_var, nlen);
++
++ /* make sure we use the same value as getenv(), otherwise code that
++ uses getenv() (like setlocale()) might see a different value to %ENV
++ */
++ sv = newSVpv(PerlEnv_getenv(name), 0);
++
++ /* keep a count of the dups of this name so we can de-dup environ later */
++ if (hv_exists(dups, name, nlen))
++ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
++ else
++ (void)hv_store(dups, name, nlen, newSViv(1), 0);
++
++ Safefree(name);
++ }
++ else {
++ sv = newSVpv(s+1, 0);
++ }
++ (void)hv_store(hv, old_var, nlen, sv, 0);
+ if (env_is_not_environ)
+ mg_set(sv);
+ }
++ if (HvKEYS(dups)) {
++ /* environ has some duplicate definitions, remove them */
++ HE *entry;
++ hv_iterinit(dups);
++ while ((entry = hv_iternext_flags(dups, 0))) {
++ STRLEN nlen;
++ const char *name = HePV(entry, nlen);
++ IV count = SvIV(HeVAL(entry));
++ IV i;
++ SV **valp = hv_fetch(hv, name, nlen, 0);
++
++ assert(valp);
++
++ /* try to remove any duplicate names, depending on the
++ * implementation used in my_setenv() the iteration might
++ * not be necessary, but let's be safe.
++ */
++ for (i = 0; i < count; ++i)
++ my_setenv(name, 0);
++
++ /* and set it back to the value we set $ENV{name} to */
++ my_setenv(name, SvPV_nolen(*valp));
++ }
++ }
++ SvREFCNT_dec_NN(dups);
+ }
+ #endif /* USE_ENVIRON_ARRAY */
+ #endif /* !PERL_MICRO */
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 6ca62aa..d67870f 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -37,6 +37,7 @@
(define-public perl
;; Yeah, Perl... It is required early in the bootstrap process by Linux.
(package
+ (replacement perl-fixed)
(name "perl")
(version "5.22.1")
(source (origin
@@ -114,6 +115,28 @@
(home-page "http://www.perl.org/")
(license gpl1+))) ; or "Artistic"
+(define perl-fixed
+ (package
+ (inherit perl)
+ (replacement #f)
+ (source
+ (let ((name "perl") (version "5.22.1"))
+ (origin
+ (method url-fetch)
+ (uri (string-append "http://www.cpan.org/src/5.0/perl-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb"))
+ (patches (map search-patch
+ '("perl-no-sys-dirs.patch"
+ "perl-autosplit-default-time.patch"
+ "perl-source-date-epoch.patch"
+ "perl-deterministic-ordering.patch"
+ "perl-no-build-time.patch"
+ "perl-CVE-2015-8607.patch"
+ "perl-CVE-2016-2381.patch"))))))))
+
(define-public perl-algorithm-c3
(package
(name "perl-algorithm-c3")
--
2.7.1
next prev parent reply other threads:[~2016-03-02 19:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 19:48 [PATCH 0/1] Perl: Fix CVE-2016-2381 Leo Famulari
2016-03-02 19:48 ` Leo Famulari [this message]
2016-03-02 21:52 ` [PATCH 1/1] gnu: perl: Replace with patched version [fixes CVE-2016-2381] Ludovic Courtès
2016-03-03 4:06 ` Leo Famulari
2016-03-03 5:52 ` Leo Famulari
2016-03-03 16:33 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=92cf16de48838de4d9d060886f0bc9915e8f52e1.1456947844.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.