# HG changeset patch # User Brian Cameron # Date 1363041669 25200 # Node ID 8f71b436e7f70317960e4cc6fcdfcb6fd5983b1d # Parent 6c6c27bcf9ac4e0617d29deca70c5c7bfd8f2f1b 15820486 problem in UTILITY/PERL 15880426 problem in UTILITY/PERL 16417744 problem in UTILITY/PERL 16383261 problem in UTILITY/PERL 16427786 problem in UTILITY/PERL diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl/perl516/patches/16417744.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl/perl516/patches/16417744.patch Mon Mar 11 15:41:09 2013 -0700 @@ -0,0 +1,85 @@ + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 +CONFIRM:http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 + +From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001 +From: Brian Carlson +Date: Wed, 28 Nov 2012 08:54:33 -0500 +Subject: [PATCH] Fix misparsing of maketext strings. + +Case 61251: This commit fixes a misparse of maketext strings that could +lead to arbitrary code execution. Basically, maketext was compiling +bracket notation into functions, but neglected to escape backslashes +inside the content or die on fully-qualified method names when +generating the code. This change escapes all such backslashes and dies +when a method name with a colon or apostrophe is specified. +--- + AUTHORS | 1 + + dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++---------------- + 2 files changed, 9 insertions(+), 16 deletions(-) + +diff --git a/AUTHORS b/AUTHORS +index 70734b0..009dea0 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -154,6 +154,7 @@ Breno G. de Oliveira + Brent Dax + Brooks D Boyd + Brian Callaghan ++Brian Carlson + Brian Clarke + brian d foy + Brian Fraser +diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm +index 4822027..63e5fba 100644 +--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm ++++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm +@@ -625,21 +625,9 @@ sub _compile { + # 0-length method name means to just interpolate: + push @code, ' ('; + } +- elsif($m =~ /^\w+(?:\:\:\w+)*$/s +- and $m !~ m/(?:^|\:)\d/s +- # exclude starting a (sub)package or symbol with a digit ++ elsif($m =~ /^\w+$/s ++ # exclude anything fancy, especially fully-qualified module names + ) { +- # Yes, it even supports the demented (and undocumented?) +- # $obj->Foo::bar(...) syntax. +- $target->_die_pointing( +- $string_to_compile, q{Can't use "SUPER::" in a bracket-group method}, +- 2 + length($c[-1]) +- ) +- if $m =~ m/^SUPER::/s; +- # Because for SUPER:: to work, we'd have to compile this into +- # the right package, and that seems just not worth the bother, +- # unless someone convinces me otherwise. +- + push @code, ' $_[0]->' . $m . '('; + } + else { +@@ -693,7 +681,9 @@ sub _compile { + elsif(substr($1,0,1) ne '~') { + # it's stuff not containing "~" or "[" or "]" + # i.e., a literal blob +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + + } + elsif($1 eq '~~') { # "~~" +@@ -731,7 +721,9 @@ sub _compile { + else { + # It's a "~X" where X is not a special character. + # Consider it a literal ~ and X. +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + } + } + } +-- +1.7.4.1 + diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl/perl516/patches/rehash-5.16.2.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl/perl516/patches/rehash-5.16.2.patch Mon Mar 11 15:41:09 2013 -0700 @@ -0,0 +1,171 @@ +From f1220d61455253b170e81427c9d0357831ca0fac Mon Sep 17 00:00:00 2001 +From: Yves Orton +Date: Tue, 12 Feb 2013 10:53:05 +0100 +Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH + after hsplit() + +Triggering a hsplit due to long chain length allows an attacker +to create a carefully chosen set of keys which can cause the hash +to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory +exhaustion. Doing so also takes non trivial time. + +Eliminating this check, and only inspecting chain length after a +normal hsplit() (triggered when keys>buckets) prevents the attack +entirely, and makes such attacks relatively benign. +--- + ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++-- + hv.c | 35 ++++++++--------------------------- + t/op/hash.t | 20 +++++++++++++++++--- + 3 files changed, 41 insertions(+), 32 deletions(-) + +diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t +index 2cfb4e8..d58f053 100644 +--- a/ext/Hash-Util-FieldHash/t/10_hash.t ++++ b/ext/Hash-Util-FieldHash/t/10_hash.t +@@ -38,15 +38,29 @@ use constant START => "a"; + + # some initial hash data + fieldhash my %h2; +-%h2 = map {$_ => 1} 'a'..'cc'; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; +diff --git a/hv.c b/hv.c +index 6b66251..a031703 100644 +--- a/hv.c ++++ b/hv.c +@@ -35,7 +35,8 @@ holds the key and hash value. + #define PERL_HASH_INTERNAL_ACCESS + #include "perl.h" + +-#define HV_MAX_LENGTH_BEFORE_SPLIT 14 ++#define HV_MAX_LENGTH_BEFORE_REHASH 14 ++#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */ + + static const char S_strtab_error[] + = "Cannot modify shared string table in hv_%s"; +@@ -798,29 +799,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen, + if (masked_flags & HVhek_ENABLEHVKFLAGS) + HvHASKFLAGS_on(hv); + +- { +- const HE *counter = HeNEXT(entry); +- +- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ +- if (!counter) { /* initial entry? */ +- } else if (xhv->xhv_keys > xhv->xhv_max) { +- /* Use only the old HvUSEDKEYS(hv) > HvMAX(hv) condition to limit +- bucket splits on a rehashed hash, as we're not going to +- split it again, and if someone is lucky (evil) enough to +- get all the keys in one list they could exhaust our memory +- as we repeatedly double the number of buckets on every +- entry. Linear search feels a less worse thing to do. */ +- hsplit(hv); +- } else if(!HvREHASH(hv)) { +- U32 n_links = 1; +- +- while ((counter = HeNEXT(counter))) +- n_links++; +- +- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) { +- hsplit(hv); +- } +- } ++ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ ++ if ( SHOULD_DO_HSPLIT(xhv) ) { ++ hsplit(hv); + } + + if (return_svp) { +@@ -1197,7 +1178,7 @@ S_hsplit(pTHX_ HV *hv) + + + /* Pick your policy for "hashing isn't working" here: */ +- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */ ++ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */ + || HvREHASH(hv)) { + return; + } +@@ -2782,8 +2763,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags) + + xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ + if (!next) { /* initial entry? */ +- } else if (xhv->xhv_keys > xhv->xhv_max /* HvUSEDKEYS(hv) > HvMAX(hv) */) { +- hsplit(PL_strtab); ++ } else if ( SHOULD_DO_HSPLIT(xhv) ) { ++ hsplit(PL_strtab); + } + } + +diff --git a/t/op/hash.t b/t/op/hash.t +index ef757a3..97eb81b 100644 +--- a/t/op/hash.t ++++ b/t/op/hash.t +@@ -39,22 +39,36 @@ use constant THRESHOLD => 14; + use constant START => "a"; + + # some initial hash data +-my %h2 = map {$_ => 1} 'a'..'cc'; ++my %h2; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; + + # the minimum of bits required to mount the attack on a hash + my $min_bits = log(THRESHOLD)/log(2); +- + # if the hash has already been populated with a significant amount + # of entries the number of mask bits can be higher + my $keys = scalar keys %$hr; +-- +1.8.1.3 + + diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl512/Makefile --- a/components/perl512/Makefile Mon Mar 11 10:06:51 2013 -0700 +++ b/components/perl512/Makefile Mon Mar 11 15:41:09 2013 -0700 @@ -29,13 +29,13 @@ # can't call it. COMPONENT_NAME= perl -COMPONENT_VERSION= 5.12.4 +COMPONENT_VERSION= 5.12.5 PERL_VERSION= 5.12 COMPONENT_PROJECT_URL= http://www.perl.org/ COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.bz2 COMPONENT_ARCHIVE_HASH= \ - sha256:c920fa01a34b7752e8cbbc99c6921b908df60611d84a29c4377e4a798604767e + sha256:10749417fd3010aae320a34181ad4cd6a4855c1fc63403b87fa4d630b18e966c COMPONENT_ARCHIVE_URL= http://www.cpan.org/src/5.0/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= utility/perl diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl512/patches/15880426.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl512/patches/15880426.patch Mon Mar 11 15:41:09 2013 -0700 @@ -0,0 +1,66 @@ +Escape new-lines in Cookie and P3P headers + +This is relevant difference between CGI 3.62 and 3.63. +See . + +diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm +index d8d91f4..5bc9b17 100644 +--- a/cpan/CGI/lib/CGI.pm ++++ b/cpan/CGI/lib/CGI.pm +@@ -1497,8 +1497,17 @@ sub header { + 'EXPIRES','NPH','CHARSET', + 'ATTACHMENT','P3P'],@p); + ++ # Since $cookie and $p3p may be array references, ++ # we must stringify them before CR escaping is done. ++ my @cookie; ++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) { ++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; ++ push(@cookie,$cs) if defined $cs and $cs ne ''; ++ } ++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; ++ + # CR escaping for values, per RFC 822 +- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { ++ for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { + if (defined $header) { + # From RFC 822: + # Unfolding is accomplished by regarding CRLF immediately +@@ -1542,18 +1551,9 @@ sub header { + + push(@header,"Status: $status") if $status; + push(@header,"Window-Target: $target") if $target; +- if ($p3p) { +- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; +- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p")); +- } ++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p; + # push all the cookies -- there may be several +- if ($cookie) { +- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie; +- for (@cookie) { +- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; +- push(@header,"Set-Cookie: $cs") if $cs ne ''; +- } +- } ++ push(@header,map {"Set-Cookie: $_"} @cookie); + # if the user indicates an expiration time, then we need + # both an Expires and a Date header (so that the browser is + # uses OUR clock) +diff --git a/t/headers.t b/t/headers.t +index 661b74b..4b4922c 100644 +--- a/cpan/CGI/t/headers.t ++++ b/cpan/CGI/t/headers.t +@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up'); + like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ), + qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line'; + ++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up'); ++ ++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up'); ++ + eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; + like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up'); + diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl512/patches/16417744.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl512/patches/16417744.patch Mon Mar 11 15:41:09 2013 -0700 @@ -0,0 +1,74 @@ + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 +CONFIRM:http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 + +From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001 +From: Brian Carlson +Date: Wed, 28 Nov 2012 08:54:33 -0500 +Subject: [PATCH] Fix misparsing of maketext strings. + +Case 61251: This commit fixes a misparse of maketext strings that could +lead to arbitrary code execution. Basically, maketext was compiling +bracket notation into functions, but neglected to escape backslashes +inside the content or die on fully-qualified method names when +generating the code. This change escapes all such backslashes and dies +when a method name with a colon or apostrophe is specified. + +--- perl-5.12.5/AUTHORS-orig 2013-03-05 22:57:22.320359148 -0600 ++++ perl-5.12.5/AUTHORS 2013-03-05 22:58:13.374206098 -0600 +@@ -139,6 +139,7 @@ Brent B. Powers + Brent Dax + Brooks D Boyd + Brian Callaghan ++Brian Carlson + Brian Clarke + brian d foy + Brian Grossman +--- perl-5.12.5/dist/Locale-Maketext/lib/Locale/Maketext/Guts.pm-orig 2013-03-05 23:00:24.953530801 -0600 ++++ perl-5.12.5/dist/Locale-Maketext/lib/Locale/Maketext/Guts.pm 2013-03-05 23:01:05.801008668 -0600 +@@ -140,21 +140,9 @@ sub _compile { + # 0-length method name means to just interpolate: + push @code, ' ('; + } +- elsif($m =~ /^\w+(?:\:\:\w+)*$/s +- and $m !~ m/(?:^|\:)\d/s +- # exclude starting a (sub)package or symbol with a digit ++ elsif($m =~ /^\w+$/s ++ # exclude anything fancy, especially fully-qualified module names + ) { +- # Yes, it even supports the demented (and undocumented?) +- # $obj->Foo::bar(...) syntax. +- $target->_die_pointing( +- $_[1], q{Can't use "SUPER::" in a bracket-group method}, +- 2 + length($c[-1]) +- ) +- if $m =~ m/^SUPER::/s; +- # Because for SUPER:: to work, we'd have to compile this into +- # the right package, and that seems just not worth the bother, +- # unless someone convinces me otherwise. +- + push @code, ' $_[0]->' . $m . '('; + } + else { +@@ -208,7 +196,9 @@ sub _compile { + elsif(substr($1,0,1) ne '~') { + # it's stuff not containing "~" or "[" or "]" + # i.e., a literal blob +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + + } + elsif($1 eq '~~') { # "~~" +@@ -246,7 +236,9 @@ sub _compile { + else { + # It's a "~X" where X is not a special character. + # Consider it a literal ~ and X. +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + } + } + } diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl512/patches/CVE-2011-2728.patch --- a/components/perl512/patches/CVE-2011-2728.patch Mon Mar 11 10:06:51 2013 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,48 +0,0 @@ -# -# CVE-2011-2728 -# http://perl5.git.perl.org/perl.git/commit/1af4051e077438976a4c12a0622feaf6715bec77 -# https://bugzilla.redhat.com/show_bug.cgi?id=742236 -# -diff -urN perl-5.12.3/ext/File-Glob/Glob.xs p/ext/File-Glob/Glob.xs ---- perl-5.12.3/ext/File-Glob/Glob.xs 2011-01-09 12:20:55.000000000 -0800 -+++ perl-5.12.3/ext/File-Glob/Glob.xs 2011-11-28 00:46:10.593556922 -0800 -@@ -1,6 +1,7 @@ - #include "EXTERN.h" - #include "perl.h" - #include "XSUB.h" -+#include "strings.h" - - #include "bsd_glob.h" - -@@ -49,9 +50,12 @@ - /* allow for optional flags argument */ - if (items > 1) { - flags = (int) SvIV(ST(1)); -+ /* remove unsupported flags */ -+ flags &= ~(GLOB_APPEND | GLOB_DOOFFS | GLOB_ALTDIRFUNC | GLOB_MAGCHAR); - } - - /* call glob */ -+ bzero(&pglob, sizeof(glob_t)); - retval = bsd_glob(pattern, flags, errfunc, &pglob); - GLOB_ERROR = retval; - ---- perl-5.12.3/ext/File-Glob/t/basic.t.orig út lis 15 13:22:27 2011 -+++ perl-5.12.3/ext/File-Glob/t/basic.t út lis 15 13:22:54 2011 -@@ -15,7 +15,7 @@ - } - } - use strict; --use Test::More tests => 14; -+use Test::More tests => 15; - BEGIN {use_ok('File::Glob', ':glob')}; - use Cwd (); - -@@ -195,3 +195,7 @@ - local $TODO = "home-made glob doesn't do regexes" if $^O eq 'VMS'; - is_deeply(\@glob_files, ['a_dej']); - } -+ -+# This used to segfault. -+my $i = bsd_glob('*', GLOB_ALTDIRFUNC); -+is(&File::Glob::GLOB_ERROR, 0, "Successfuly ignored unsupported flag"); diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl512/patches/CVE-2011-2939.patch --- a/components/perl512/patches/CVE-2011-2939.patch Mon Mar 11 10:06:51 2013 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,19 +0,0 @@ -# -# CVE-2011-2939 -# http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5 -# https://bugzilla.redhat.com/show_bug.cgi?id=731246 -# ---- perl-5.12.3/cpan/Encode/Unicode/Unicode.xs.old 2011-11-15 22:37:18.836023493 -0800 -+++ perl-5.12.3/cpan/Encode/Unicode/Unicode.xs 2011-11-15 22:40:56.191609987 -0800 -@@ -246,7 +246,10 @@ - This prevents allocating too much in the rogue case of a large - input consisting initially of long sequence uft8-byte unicode - chars followed by single utf8-byte chars. */ -- STRLEN remaining = (e - s)/usize; -+ /* +1 -+ fixes Unicode.xs!decode_xs n-byte heap-overflow -+ */ -+ STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ - STRLEN max_alloc = remaining + (8*1024*1024); - STRLEN est_alloc = remaining * UTF8_MAXLEN; - STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl512/patches/patchlevel_h.patch --- a/components/perl512/patches/patchlevel_h.patch Mon Mar 11 10:06:51 2013 -0700 +++ b/components/perl512/patches/patchlevel_h.patch Mon Mar 11 15:41:09 2013 -0700 @@ -1,12 +1,16 @@ --- perl-5.12.4/patchlevel.h 2011-06-15 10:14:22.000000000 -0700 +++ CGI.pm-3.59/patchlevel.h 2012-06-13 18:10:17.136255349 -0700 -@@ -131,6 +131,9 @@ +@@ -131,6 +131,13 @@ ,"uncommitted-changes" #endif PERL_GIT_UNPUSHED_COMMITS /* do not remove this line */ + ,"7111771 Problem with utility/perl" + ,"7125218 Problem with utility/perl" + ,"7030196 Problem with utility/perl" ++ ,"15820486 Problem with utility/perl" ++ ,"15880426 Problem with utility/perl" ++ ,"16417744 Problem with utility/perl" ++ ,"16427786 Problem with utility/perl" ,NULL }; diff -r 6c6c27bcf9ac -r 8f71b436e7f7 components/perl512/patches/rehash-5.12.5.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl512/patches/rehash-5.12.5.patch Mon Mar 11 15:41:09 2013 -0700 @@ -0,0 +1,165 @@ +From f2a571dae7d70f7e3b59022834d8003ecd2df884 Mon Sep 17 00:00:00 2001 +From: Yves Orton +Date: Tue, 12 Feb 2013 10:53:05 +0100 +Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH + after hsplit() + +Triggering a hsplit due to long chain length allows an attacker +to create a carefully chosen set of keys which can cause the hash +to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory +exhaustion. Doing so also takes non trivial time. + +Eliminating this check, and only inspecting chain length after a +normal hsplit() (triggered when keys>buckets) prevents the attack +entirely, and makes such attacks relatively benign. + +(cherry picked from commit f1220d61455253b170e81427c9d0357831ca0fac) +--- + ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++-- + hv.c | 26 ++++++-------------------- + t/op/hash.t | 20 +++++++++++++++++--- + 3 files changed, 39 insertions(+), 25 deletions(-) + +diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t +index 2cfb4e8..d58f053 100644 +--- a/ext/Hash-Util-FieldHash/t/10_hash.t ++++ b/ext/Hash-Util-FieldHash/t/10_hash.t +@@ -38,15 +38,29 @@ use constant START => "a"; + + # some initial hash data + fieldhash my %h2; +-%h2 = map {$_ => 1} 'a'..'cc'; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; +diff --git a/hv.c b/hv.c +index 89c6456..8659678 100644 +--- a/hv.c ++++ b/hv.c +@@ -35,7 +35,8 @@ holds the key and hash value. + #define PERL_HASH_INTERNAL_ACCESS + #include "perl.h" + +-#define HV_MAX_LENGTH_BEFORE_SPLIT 14 ++#define HV_MAX_LENGTH_BEFORE_REHASH 14 ++#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */ + + static const char S_strtab_error[] + = "Cannot modify shared string table in hv_%s"; +@@ -818,23 +819,8 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen, + xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ + if (!counter) { /* initial entry? */ + xhv->xhv_fill++; /* HvFILL(hv)++ */ +- } else if (xhv->xhv_keys > (IV)xhv->xhv_max) { ++ } else if ( SHOULD_DO_HSPLIT(xhv) ) { + hsplit(hv); +- } else if(!HvREHASH(hv)) { +- U32 n_links = 1; +- +- while ((counter = HeNEXT(counter))) +- n_links++; +- +- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) { +- /* Use only the old HvKEYS(hv) > HvMAX(hv) condition to limit +- bucket splits on a rehashed hash, as we're not going to +- split it again, and if someone is lucky (evil) enough to +- get all the keys in one list they could exhaust our memory +- as we repeatedly double the number of buckets on every +- entry. Linear search feels a less worse thing to do. */ +- hsplit(hv); +- } + } + } + +@@ -1180,7 +1166,7 @@ S_hsplit(pTHX_ HV *hv) + + + /* Pick your policy for "hashing isn't working" here: */ +- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */ ++ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */ + || HvREHASH(hv)) { + return; + } +@@ -2551,8 +2537,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags) + xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ + if (!next) { /* initial entry? */ + xhv->xhv_fill++; /* HvFILL(hv)++ */ +- } else if (xhv->xhv_keys > (IV)xhv->xhv_max /* HvKEYS(hv) > HvMAX(hv) */) { +- hsplit(PL_strtab); ++ } else if ( SHOULD_DO_HSPLIT(xhv) ) { ++ hsplit(PL_strtab); + } + } + +diff --git a/t/op/hash.t b/t/op/hash.t +index 9bde518..45eb782 100644 +--- a/t/op/hash.t ++++ b/t/op/hash.t +@@ -39,22 +39,36 @@ use constant THRESHOLD => 14; + use constant START => "a"; + + # some initial hash data +-my %h2 = map {$_ => 1} 'a'..'cc'; ++my %h2; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; + + # the minimum of bits required to mount the attack on a hash + my $min_bits = log(THRESHOLD)/log(2); +- + # if the hash has already been populated with a significant amount + # of entries the number of mask bits can be higher + my $keys = scalar keys %$hr; +-- +1.8.1.3 + +