# HG changeset patch # User Vladimir Marek # Date 1338877098 25200 # Node ID e77c012d95e96914ca6fe39a65512125d7bb13db # Parent 1caf21467dca007e0d7c392470817b00bfbc6c38 7125218 Problem with utility/perl diff -r 1caf21467dca -r e77c012d95e9 components/perl512/patches/CVE-2011-3597.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl512/patches/CVE-2011-3597.patch Mon Jun 04 23:18:18 2012 -0700 @@ -0,0 +1,300 @@ +diff -Naur perl-5.12.4/cpan/Digest/Changes new/cpan/Digest/Changes +--- perl-5.12.4/cpan/Digest/Changes 2011-06-01 00:47:46.000000000 -0700 ++++ new/cpan/Digest/Changes 2012-04-09 14:20:51.773966321 -0700 +@@ -1,3 +1,24 @@ ++2011-10-02 Gisle Aas ++ ++ Release 1.17. ++ ++ Gisle Aas (6): ++ Less noisy 'git status' output ++ Merge pull request #1 from schwern/bug/require_eval ++ Don't clobber $@ in Digest->new [RT#50663] ++ More meta info added to Makefile.PL ++ Fix typo in RIPEMD160 [RT#50629] ++ Add schwern's test files ++ ++ Michael G. Schwern (5): ++ Turn on strict. ++ Convert tests to use Test::More ++ Untabify ++ Turn Digest::Dummy into a real file which exercises the Digest->new() require logic. ++ Close the eval "require $module" security hole in Digest->new($algorithm) ++ ++ ++ + 2009-06-09 Gisle Aas + + Release 1.16. +diff -Naur perl-5.12.4/cpan/Digest/Digest.pm new/cpan/Digest/Digest.pm +--- perl-5.12.4/cpan/Digest/Digest.pm 2011-06-01 00:47:46.000000000 -0700 ++++ new/cpan/Digest/Digest.pm 2012-04-09 14:20:51.876396277 -0700 +@@ -3,7 +3,7 @@ + use strict; + use vars qw($VERSION %MMAP $AUTOLOAD); + +-$VERSION = "1.16"; ++$VERSION = "1.17"; + + %MMAP = ( + "SHA-1" => [["Digest::SHA", 1], "Digest::SHA1", ["Digest::SHA2", 1]], +@@ -16,7 +16,7 @@ + "CRC-16" => [["Digest::CRC", type => "crc16"]], + "CRC-32" => [["Digest::CRC", type => "crc32"]], + "CRC-CCITT" => [["Digest::CRC", type => "crcccitt"]], +- "RIPEMD-160" => "Crypt::PIPEMD160", ++ "RIPEMD-160" => "Crypt::RIPEMD160", + ); + + sub new +@@ -24,24 +24,27 @@ + shift; # class ignored + my $algorithm = shift; + my $impl = $MMAP{$algorithm} || do { +- $algorithm =~ s/\W+//; +- "Digest::$algorithm"; ++ $algorithm =~ s/\W+//g; ++ "Digest::$algorithm"; + }; + $impl = [$impl] unless ref($impl); ++ local $@; # don't clobber it for our caller + my $err; + for (@$impl) { +- my $class = $_; +- my @args; +- ($class, @args) = @$class if ref($class); +- no strict 'refs'; +- unless (exists ${"$class\::"}{"VERSION"}) { +- eval "require $class"; +- if ($@) { +- $err ||= $@; +- next; +- } +- } +- return $class->new(@args, @_); ++ my $class = $_; ++ my @args; ++ ($class, @args) = @$class if ref($class); ++ no strict 'refs'; ++ unless (exists ${"$class\::"}{"VERSION"}) { ++ my $pm_file = $class . ".pm"; ++ $pm_file =~ s{::}{/}g; ++ eval { require $pm_file }; ++ if ($@) { ++ $err ||= $@; ++ next; ++ } ++ } ++ return $class->new(@args, @_); + } + die $err; + } +diff -Naur perl-5.12.4/cpan/Digest/t/base.t new/cpan/Digest/t/base.t +--- perl-5.12.4/cpan/Digest/t/base.t 2011-06-01 00:47:46.000000000 -0700 ++++ new/cpan/Digest/t/base.t 2012-04-09 14:20:51.993284381 -0700 +@@ -1,7 +1,6 @@ + #!perl -w + +-use Test qw(plan ok); +-plan tests => 12; ++use Test::More tests => 12; + + { + package LenDigest; +@@ -31,26 +30,26 @@ + } + + my $ctx = LenDigest->new; +-ok($ctx->digest, "X0000"); ++is($ctx->digest, "X0000"); + + my $EBCDIC = ord('A') == 193; + + if ($EBCDIC) { +- ok($ctx->hexdigest, "e7f0f0f0f0"); +- ok($ctx->b64digest, "5/Dw8PA"); ++ is($ctx->hexdigest, "e7f0f0f0f0"); ++ is($ctx->b64digest, "5/Dw8PA"); + } else { +- ok($ctx->hexdigest, "5830303030"); +- ok($ctx->b64digest, "WDAwMDA"); ++ is($ctx->hexdigest, "5830303030"); ++ is($ctx->b64digest, "WDAwMDA"); + } + + $ctx->add("foo"); +-ok($ctx->digest, "f0003"); ++is($ctx->digest, "f0003"); + + $ctx->add("foo"); +-ok($ctx->hexdigest, $EBCDIC ? "86f0f0f0f3" : "6630303033"); ++is($ctx->hexdigest, $EBCDIC ? "86f0f0f0f3" : "6630303033"); + + $ctx->add("foo"); +-ok($ctx->b64digest, $EBCDIC ? "hvDw8PM" : "ZjAwMDM"); ++is($ctx->b64digest, $EBCDIC ? "hvDw8PM" : "ZjAwMDM"); + + open(F, ">xxtest$$") || die; + binmode(F); +@@ -62,23 +61,23 @@ + close(F); + unlink("xxtest$$") || warn; + +-ok($ctx->digest, "a0301"); ++is($ctx->digest, "a0301"); + + eval { + $ctx->add_bits("1010"); + }; +-ok($@ =~ /^Number of bits must be multiple of 8/); ++like($@, '/^Number of bits must be multiple of 8/'); + + $ctx->add_bits($EBCDIC ? "11100100" : "01010101"); +-ok($ctx->digest, "U0001"); ++is($ctx->digest, "U0001"); + + eval { + $ctx->add_bits("abc", 12); + }; +-ok($@ =~ /^Number of bits must be multiple of 8/); ++like($@, '/^Number of bits must be multiple of 8/'); + + $ctx->add_bits("abc", 16); +-ok($ctx->digest, "a0002"); ++is($ctx->digest, "a0002"); + + $ctx->add_bits("abc", 32); +-ok($ctx->digest, "a0003"); ++is($ctx->digest, "a0003"); +diff -Naur perl-5.12.4/cpan/Digest/t/digest.t new/cpan/Digest/t/digest.t +--- perl-5.12.4/cpan/Digest/t/digest.t 2011-06-01 00:47:46.000000000 -0700 ++++ new/cpan/Digest/t/digest.t 2012-04-16 14:02:55.704568190 -0700 +@@ -1,36 +1,23 @@ +-print "1..3\n"; ++#!/usr/bin/env perl + +-use Digest; ++use strict; ++use Test::More tests => 4; ++ ++# To find Digest::Dummy ++use lib 't/lib'; ++use lib 'lib'; + +-{ +- package Digest::Dummy; +- use vars qw($VERSION @ISA); +- $VERSION = 1; +- +- require Digest::base; +- @ISA = qw(Digest::base); +- +- sub new { +- my $class = shift; +- my $d = shift || "ooo"; +- bless { d => $d }, $class; +- } +- sub add {} +- sub digest { shift->{d} } +-} ++use Digest; + ++$@ = "rt#50663"; + my $d; + $d = Digest->new("Dummy"); +-print "not " unless $d->digest eq "ooo"; +-print "ok 1\n"; ++is $@, "rt#50663"; ++is $d->digest, "ooo"; + + $d = Digest->Dummy; +-print "not " unless $d->digest eq "ooo"; +-print "ok 2\n"; ++is $d->digest, "ooo"; + + $Digest::MMAP{"Dummy-24"} = [["NotThere"], "NotThereEither", ["Digest::Dummy", 24]]; + $d = Digest->new("Dummy-24"); +-print "not " unless $d->digest eq "24"; +-print "ok 3\n"; +- +- ++is $d->digest, "24"; +diff -Naur perl-5.12.4/cpan/Digest/t/file.t new/cpan/Digest/t/file.t +--- perl-5.12.4/cpan/Digest/t/file.t 2011-06-01 00:47:46.000000000 -0700 ++++ new/cpan/Digest/t/file.t 2012-04-09 14:20:52.032053178 -0700 +@@ -1,7 +1,6 @@ + #!perl -w + +-use Test qw(plan ok); +-plan tests => 5; ++use Test::More tests => 5; + + { + package Digest::Foo; +@@ -36,17 +35,17 @@ + print F "foo\0\n"; + close(F) || die "Can't write '$file': $!"; + +-ok(digest_file($file, "Foo"), "0005"); ++is(digest_file($file, "Foo"), "0005"); + + if (ord('A') == 193) { # EBCDIC. +- ok(digest_file_hex($file, "Foo"), "f0f0f0f5"); +- ok(digest_file_base64($file, "Foo"), "8PDw9Q"); ++ is(digest_file_hex($file, "Foo"), "f0f0f0f5"); ++ is(digest_file_base64($file, "Foo"), "8PDw9Q"); + } else { +- ok(digest_file_hex($file, "Foo"), "30303035"); +- ok(digest_file_base64($file, "Foo"), "MDAwNQ"); ++ is(digest_file_hex($file, "Foo"), "30303035"); ++ is(digest_file_base64($file, "Foo"), "MDAwNQ"); + } + + unlink($file) || warn "Can't unlink '$file': $!"; + +-ok(eval { digest_file("not-there.txt", "Foo") }, undef); +-ok($@); ++ok !eval { digest_file("not-there.txt", "Foo") }; ++ok $@; +diff -Naur perl-5.12.4/cpan/Digest/t/lib/Digest/Dummy.pm new/cpan/Digest/t/lib/Digest/Dummy.pm +--- perl-5.12.4/cpan/Digest/t/lib/Digest/Dummy.pm 1969-12-31 16:00:00.000000000 -0800 ++++ new/cpan/Digest/t/lib/Digest/Dummy.pm 2012-04-09 14:20:52.091220603 -0700 +@@ -0,0 +1,20 @@ ++package Digest::Dummy; ++ ++use strict; ++use vars qw($VERSION @ISA); ++$VERSION = 1; ++ ++require Digest::base; ++@ISA = qw(Digest::base); ++ ++sub new { ++ my $class = shift; ++ my $d = shift || "ooo"; ++ bless { d => $d }, $class; ++} ++ ++sub add {} ++sub digest { shift->{d} } ++ ++1; ++ +diff -Naur perl-5.12.4/cpan/Digest/t/security.t new/cpan/Digest/t/security.t +--- perl-5.12.4/cpan/Digest/t/security.t 1969-12-31 16:00:00.000000000 -0800 ++++ new/cpan/Digest/t/security.t 2012-04-09 14:20:52.126914007 -0700 +@@ -0,0 +1,14 @@ ++#!/usr/bin/env perl ++ ++# Digest->new() had an exploitable eval ++ ++use strict; ++use warnings; ++ ++use Test::More tests => 1; ++ ++use Digest; ++ ++$LOL::PWNED = 0; ++eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) }; ++is $LOL::PWNED, 0;