15820486 problem in UTILITY/PERL
authorBrian Cameron <brian.cameron@oracle.com>
Mon, 11 Mar 2013 15:41:09 -0700
changeset 1206 8f71b436e7f7
parent 1205 6c6c27bcf9ac
child 1207 1d0be3a9fc06
15820486 problem in UTILITY/PERL 15880426 problem in UTILITY/PERL 16417744 problem in UTILITY/PERL 16383261 problem in UTILITY/PERL 16427786 problem in UTILITY/PERL
components/perl/perl516/patches/16417744.patch
components/perl/perl516/patches/rehash-5.16.2.patch
components/perl512/Makefile
components/perl512/patches/15880426.patch
components/perl512/patches/16417744.patch
components/perl512/patches/CVE-2011-2728.patch
components/perl512/patches/CVE-2011-2939.patch
components/perl512/patches/patchlevel_h.patch
components/perl512/patches/rehash-5.12.5.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/perl/perl516/patches/16417744.patch	Mon Mar 11 15:41:09 2013 -0700
@@ -0,0 +1,85 @@
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329
+CONFIRM:http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
+
+From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001
+From: Brian Carlson <[email protected]>
+Date: Wed, 28 Nov 2012 08:54:33 -0500
+Subject: [PATCH] Fix misparsing of maketext strings.
+
+Case 61251: This commit fixes a misparse of maketext strings that could
+lead to arbitrary code execution.  Basically, maketext was compiling
+bracket notation into functions, but neglected to escape backslashes
+inside the content or die on fully-qualified method names when
+generating the code.  This change escapes all such backslashes and dies
+when a method name with a colon or apostrophe is specified.
+---
+ AUTHORS                                     |    1 +
+ dist/Locale-Maketext/lib/Locale/Maketext.pm |   24 ++++++++----------------
+ 2 files changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/AUTHORS b/AUTHORS
+index 70734b0..009dea0 100644
+--- a/AUTHORS
++++ b/AUTHORS
[email protected]@ -154,6 +154,7 @@ Breno G. de Oliveira		<[email protected]>
+ Brent Dax			<[email protected]>
+ Brooks D Boyd
+ Brian Callaghan			<[email protected]>
++Brian Carlson			<[email protected]>
+ Brian Clarke			<[email protected]>
+ brian d foy			<[email protected]>
+ Brian Fraser			<[email protected]>
+diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm
+index 4822027..63e5fba 100644
+--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm
++++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm
[email protected]@ -625,21 +625,9 @@ sub _compile {
+                         # 0-length method name means to just interpolate:
+                         push @code, ' (';
+                     }
+-                    elsif($m =~ /^\w+(?:\:\:\w+)*$/s
+-                            and $m !~ m/(?:^|\:)\d/s
+-                        # exclude starting a (sub)package or symbol with a digit
++                    elsif($m =~ /^\w+$/s
++                        # exclude anything fancy, especially fully-qualified module names
+                     ) {
+-                        # Yes, it even supports the demented (and undocumented?)
+-                        #  $obj->Foo::bar(...) syntax.
+-                        $target->_die_pointing(
+-                            $string_to_compile, q{Can't use "SUPER::" in a bracket-group method},
+-                            2 + length($c[-1])
+-                        )
+-                        if $m =~ m/^SUPER::/s;
+-                        # Because for SUPER:: to work, we'd have to compile this into
+-                        #  the right package, and that seems just not worth the bother,
+-                        #  unless someone convinces me otherwise.
+-
+                         push @code, ' $_[0]->' . $m . '(';
+                     }
+                     else {
[email protected]@ -693,7 +681,9 @@ sub _compile {
+             elsif(substr($1,0,1) ne '~') {
+                 # it's stuff not containing "~" or "[" or "]"
+                 # i.e., a literal blob
+-                $c[-1] .= $1;
++                my $text = $1;
++                $text =~ s/\\/\\\\/g;
++                $c[-1] .= $text;
+ 
+             }
+             elsif($1 eq '~~') { # "~~"
[email protected]@ -731,7 +721,9 @@ sub _compile {
+             else {
+                 # It's a "~X" where X is not a special character.
+                 # Consider it a literal ~ and X.
+-                $c[-1] .= $1;
++                my $text = $1;
++                $text =~ s/\\/\\\\/g;
++                $c[-1] .= $text;
+             }
+         }
+     }
+-- 
+1.7.4.1
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/perl/perl516/patches/rehash-5.16.2.patch	Mon Mar 11 15:41:09 2013 -0700
@@ -0,0 +1,171 @@
+From f1220d61455253b170e81427c9d0357831ca0fac Mon Sep 17 00:00:00 2001
+From: Yves Orton <[email protected]>
+Date: Tue, 12 Feb 2013 10:53:05 +0100
+Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH
+ after hsplit()
+
+Triggering a hsplit due to long chain length allows an attacker
+to create a carefully chosen set of keys which can cause the hash
+to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory
+exhaustion. Doing so also takes non trivial time.
+
+Eliminating this check, and only inspecting chain length after a
+normal hsplit() (triggered when keys>buckets) prevents the attack
+entirely, and makes such attacks relatively benign.
+---
+ ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++--
+ hv.c                                | 35 ++++++++---------------------------
+ t/op/hash.t                         | 20 +++++++++++++++++---
+ 3 files changed, 41 insertions(+), 32 deletions(-)
+
+diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t
+index 2cfb4e8..d58f053 100644
+--- a/ext/Hash-Util-FieldHash/t/10_hash.t
++++ b/ext/Hash-Util-FieldHash/t/10_hash.t
[email protected]@ -38,15 +38,29 @@ use constant START     => "a";
+ 
+ # some initial hash data
+ fieldhash my %h2;
+-%h2 = map {$_ => 1} 'a'..'cc';
++my $counter= "a";
++$h2{$counter++}++ while $counter ne 'cd';
+ 
+ ok (!Internals::HvREHASH(%h2), 
+     "starting with pre-populated non-pathological hash (rehash flag if off)");
+ 
+ my @keys = get_keys(\%h2);
++my $buckets= buckets(\%h2);
+ $h2{$_}++ for @keys;
++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
+ ok (Internals::HvREHASH(%h2), 
+-    scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
++    scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
++
++# returns the number of buckets in a hash
++sub buckets {
++    my $hr = shift;
++    my $keys_buckets= scalar(%$hr);
++    if ($keys_buckets=~m!/([0-9]+)\z!) {
++        return 0+$1;
++    } else {
++        return 8;
++    }
++}
+ 
+ sub get_keys {
+     my $hr = shift;
+diff --git a/hv.c b/hv.c
+index 6b66251..a031703 100644
+--- a/hv.c
++++ b/hv.c
[email protected]@ -35,7 +35,8 @@ holds the key and hash value.
+ #define PERL_HASH_INTERNAL_ACCESS
+ #include "perl.h"
+ 
+-#define HV_MAX_LENGTH_BEFORE_SPLIT 14
++#define HV_MAX_LENGTH_BEFORE_REHASH 14
++#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */
+ 
+ static const char S_strtab_error[]
+     = "Cannot modify shared string table in hv_%s";
[email protected]@ -798,29 +799,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen,
+     if (masked_flags & HVhek_ENABLEHVKFLAGS)
+ 	HvHASKFLAGS_on(hv);
+ 
+-    {
+-	const HE *counter = HeNEXT(entry);
+-
+-	xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
+-	if (!counter) {				/* initial entry? */
+-	} else if (xhv->xhv_keys > xhv->xhv_max) {
+-		/* Use only the old HvUSEDKEYS(hv) > HvMAX(hv) condition to limit
+-		   bucket splits on a rehashed hash, as we're not going to
+-		   split it again, and if someone is lucky (evil) enough to
+-		   get all the keys in one list they could exhaust our memory
+-		   as we repeatedly double the number of buckets on every
+-		   entry. Linear search feels a less worse thing to do.  */
+-	    hsplit(hv);
+-	} else if(!HvREHASH(hv)) {
+-	    U32 n_links = 1;
+-
+-	    while ((counter = HeNEXT(counter)))
+-		n_links++;
+-
+-	    if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) {
+-		hsplit(hv);
+-	    }
+-	}
++    xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
++    if ( SHOULD_DO_HSPLIT(xhv) ) {
++        hsplit(hv);
+     }
+ 
+     if (return_svp) {
[email protected]@ -1197,7 +1178,7 @@ S_hsplit(pTHX_ HV *hv)
+ 
+ 
+     /* Pick your policy for "hashing isn't working" here:  */
+-    if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked?  */
++    if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked?  */
+ 	|| HvREHASH(hv)) {
+ 	return;
+     }
[email protected]@ -2782,8 +2763,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags)
+ 
+ 	xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
+ 	if (!next) {			/* initial entry? */
+-	} else if (xhv->xhv_keys > xhv->xhv_max /* HvUSEDKEYS(hv) > HvMAX(hv) */) {
+-		hsplit(PL_strtab);
++	} else if ( SHOULD_DO_HSPLIT(xhv) ) {
++            hsplit(PL_strtab);
+ 	}
+     }
+ 
+diff --git a/t/op/hash.t b/t/op/hash.t
+index ef757a3..97eb81b 100644
+--- a/t/op/hash.t
++++ b/t/op/hash.t
[email protected]@ -39,22 +39,36 @@ use constant THRESHOLD => 14;
+ use constant START     => "a";
+ 
+ # some initial hash data
+-my %h2 = map {$_ => 1} 'a'..'cc';
++my %h2;
++my $counter= "a";
++$h2{$counter++}++ while $counter ne 'cd';
+ 
+ ok (!Internals::HvREHASH(%h2), 
+     "starting with pre-populated non-pathological hash (rehash flag if off)");
+ 
+ my @keys = get_keys(\%h2);
++my $buckets= buckets(\%h2);
+ $h2{$_}++ for @keys;
++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
+ ok (Internals::HvREHASH(%h2), 
+-    scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
++    scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
++
++# returns the number of buckets in a hash
++sub buckets {
++    my $hr = shift;
++    my $keys_buckets= scalar(%$hr);
++    if ($keys_buckets=~m!/([0-9]+)\z!) {
++        return 0+$1;
++    } else {
++        return 8;
++    }
++}
+ 
+ sub get_keys {
+     my $hr = shift;
+ 
+     # the minimum of bits required to mount the attack on a hash
+     my $min_bits = log(THRESHOLD)/log(2);
+-
+     # if the hash has already been populated with a significant amount
+     # of entries the number of mask bits can be higher
+     my $keys = scalar keys %$hr;
+-- 
+1.8.1.3
+
+
--- a/components/perl512/Makefile	Mon Mar 11 10:06:51 2013 -0700
+++ b/components/perl512/Makefile	Mon Mar 11 15:41:09 2013 -0700
@@ -29,13 +29,13 @@
 # can't call it.
 
 COMPONENT_NAME=		perl
-COMPONENT_VERSION=	5.12.4
+COMPONENT_VERSION=	5.12.5
 PERL_VERSION=		5.12
 COMPONENT_PROJECT_URL=	http://www.perl.org/
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.bz2
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:c920fa01a34b7752e8cbbc99c6921b908df60611d84a29c4377e4a798604767e
+    sha256:10749417fd3010aae320a34181ad4cd6a4855c1fc63403b87fa4d630b18e966c
 COMPONENT_ARCHIVE_URL=	http://www.cpan.org/src/5.0/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/perl
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/perl512/patches/15880426.patch	Mon Mar 11 15:41:09 2013 -0700
@@ -0,0 +1,66 @@
+Escape new-lines in Cookie and P3P headers
+
+This is relevant difference between CGI 3.62 and 3.63.
+See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.
+
+diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm
+index d8d91f4..5bc9b17 100644
+--- a/cpan/CGI/lib/CGI.pm
++++ b/cpan/CGI/lib/CGI.pm
[email protected]@ -1497,8 +1497,17 @@ sub header {
+                             'EXPIRES','NPH','CHARSET',
+                             'ATTACHMENT','P3P'],@p);
+ 
++    # Since $cookie and $p3p may be array references,
++    # we must stringify them before CR escaping is done.
++    my @cookie;
++    for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
++        my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
++        push(@cookie,$cs) if defined $cs and $cs ne '';
++    }
++    $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
++
+     # CR escaping for values, per RFC 822
+-    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
++    for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+         if (defined $header) {
+             # From RFC 822:
+             # Unfolding  is  accomplished  by regarding   CRLF   immediately
[email protected]@ -1542,18 +1551,9 @@ sub header {
+ 
+     push(@header,"Status: $status") if $status;
+     push(@header,"Window-Target: $target") if $target;
+-    if ($p3p) {
+-       $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+-       push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
+-    }
++    push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
+     # push all the cookies -- there may be several
+-    if ($cookie) {
+-	my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
+-	for (@cookie) {
+-            my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+-	    push(@header,"Set-Cookie: $cs") if $cs ne '';
+-	}
+-    }
++    push(@header,map {"Set-Cookie: $_"} @cookie);
+     # if the user indicates an expiration time, then we need
+     # both an Expires and a Date header (so that the browser is
+     # uses OUR clock)
+diff --git a/t/headers.t b/t/headers.t
+index 661b74b..4b4922c 100644
+--- a/cpan/CGI/t/headers.t
++++ b/cpan/CGI/t/headers.t
[email protected]@ -22,6 +22,12 @@ like([email protected],qr/contains a newline/,'invalid header blows up');
+ like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+     qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+ 
++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
++like([email protected],qr/contains a newline/,'P3P header with CRLF embedded blows up');
++
++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
++like([email protected],qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
++
+ eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+ like([email protected],qr/contains a newline/,'unknown header with CRLF embedded blows up');
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/perl512/patches/16417744.patch	Mon Mar 11 15:41:09 2013 -0700
@@ -0,0 +1,74 @@
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329
+CONFIRM:http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
+
+From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001
+From: Brian Carlson <[email protected]>
+Date: Wed, 28 Nov 2012 08:54:33 -0500
+Subject: [PATCH] Fix misparsing of maketext strings.
+
+Case 61251: This commit fixes a misparse of maketext strings that could
+lead to arbitrary code execution.  Basically, maketext was compiling
+bracket notation into functions, but neglected to escape backslashes
+inside the content or die on fully-qualified method names when
+generating the code.  This change escapes all such backslashes and dies
+when a method name with a colon or apostrophe is specified.
+
+--- perl-5.12.5/AUTHORS-orig	2013-03-05 22:57:22.320359148 -0600
++++ perl-5.12.5/AUTHORS	2013-03-05 22:58:13.374206098 -0600
[email protected]@ -139,6 +139,7 @@ Brent B. Powers			<[email protected]>
+ Brent Dax			<[email protected]>
+ Brooks D Boyd
+ Brian Callaghan			<[email protected]>
++Brian Carlson			<[email protected]>
+ Brian Clarke			<[email protected]>
+ brian d foy			<[email protected]>
+ Brian Grossman
+--- perl-5.12.5/dist/Locale-Maketext/lib/Locale/Maketext/Guts.pm-orig	2013-03-05 23:00:24.953530801 -0600
++++ perl-5.12.5/dist/Locale-Maketext/lib/Locale/Maketext/Guts.pm	2013-03-05 23:01:05.801008668 -0600
[email protected]@ -140,21 +140,9 @@ sub _compile {
+                         # 0-length method name means to just interpolate:
+                         push @code, ' (';
+                     }
+-                    elsif($m =~ /^\w+(?:\:\:\w+)*$/s
+-                            and $m !~ m/(?:^|\:)\d/s
+-                        # exclude starting a (sub)package or symbol with a digit
++                    elsif($m =~ /^\w+$/s
++                        # exclude anything fancy, especially fully-qualified module names
+                     ) {
+-                        # Yes, it even supports the demented (and undocumented?)
+-                        #  $obj->Foo::bar(...) syntax.
+-                        $target->_die_pointing(
+-                            $_[1], q{Can't use "SUPER::" in a bracket-group method},
+-                            2 + length($c[-1])
+-                        )
+-                        if $m =~ m/^SUPER::/s;
+-                        # Because for SUPER:: to work, we'd have to compile this into
+-                        #  the right package, and that seems just not worth the bother,
+-                        #  unless someone convinces me otherwise.
+-
+                         push @code, ' $_[0]->' . $m . '(';
+                     }
+                     else {
[email protected]@ -208,7 +196,9 @@ sub _compile {
+             elsif(substr($1,0,1) ne '~') {
+                 # it's stuff not containing "~" or "[" or "]"
+                 # i.e., a literal blob
+-                $c[-1] .= $1;
++                my $text = $1;
++                $text =~ s/\\/\\\\/g;
++                $c[-1] .= $text;
+ 
+             }
+             elsif($1 eq '~~') { # "~~"
[email protected]@ -246,7 +236,9 @@ sub _compile {
+             else {
+                 # It's a "~X" where X is not a special character.
+                 # Consider it a literal ~ and X.
+-                $c[-1] .= $1;
++                my $text = $1;
++                $text =~ s/\\/\\\\/g;
++                $c[-1] .= $text;
+             }
+         }
+     }
--- a/components/perl512/patches/CVE-2011-2728.patch	Mon Mar 11 10:06:51 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,48 +0,0 @@
-#
-# CVE-2011-2728
-# http://perl5.git.perl.org/perl.git/commit/1af4051e077438976a4c12a0622feaf6715bec77
-# https://bugzilla.redhat.com/show_bug.cgi?id=742236
-#
-diff -urN perl-5.12.3/ext/File-Glob/Glob.xs p/ext/File-Glob/Glob.xs
---- perl-5.12.3/ext/File-Glob/Glob.xs   2011-01-09 12:20:55.000000000 -0800
-+++ perl-5.12.3/ext/File-Glob/Glob.xs     2011-11-28 00:46:10.593556922 -0800
[email protected]@ -1,6 +1,7 @@
- #include "EXTERN.h"
- #include "perl.h"
- #include "XSUB.h"
-+#include "strings.h"
- 
- #include "bsd_glob.h"
- 
[email protected]@ -49,9 +50,12 @@
- 	/* allow for optional flags argument */
- 	if (items > 1) {
- 	    flags = (int) SvIV(ST(1));
-+	    /* remove unsupported flags */
-+	    flags &= ~(GLOB_APPEND | GLOB_DOOFFS | GLOB_ALTDIRFUNC | GLOB_MAGCHAR);
- 	}
- 
- 	/* call glob */
-+	bzero(&pglob, sizeof(glob_t));
- 	retval = bsd_glob(pattern, flags, errfunc, &pglob);
- 	GLOB_ERROR = retval;
- 
---- perl-5.12.3/ext/File-Glob/t/basic.t.orig  út lis 15 13:22:27 2011
-+++ perl-5.12.3/ext/File-Glob/t/basic.t       út lis 15 13:22:54 2011
[email protected]@ -15,7 +15,7 @@
-     }
- }
- use strict;
--use Test::More tests => 14;
-+use Test::More tests => 15;
- BEGIN {use_ok('File::Glob', ':glob')};
- use Cwd ();
-
[email protected]@ -195,3 +195,7 @@
-     local $TODO = "home-made glob doesn't do regexes" if $^O eq 'VMS';
-     is_deeply(\@glob_files, ['a_dej']);
- }
-+
-+# This used to segfault.
-+my $i = bsd_glob('*', GLOB_ALTDIRFUNC);
-+is(&File::Glob::GLOB_ERROR, 0, "Successfuly ignored unsupported flag");
--- a/components/perl512/patches/CVE-2011-2939.patch	Mon Mar 11 10:06:51 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-#
-# CVE-2011-2939
-# http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5
-# https://bugzilla.redhat.com/show_bug.cgi?id=731246
-#
---- perl-5.12.3/cpan/Encode/Unicode/Unicode.xs.old	2011-11-15 22:37:18.836023493 -0800
-+++ perl-5.12.3/cpan/Encode/Unicode/Unicode.xs	2011-11-15 22:40:56.191609987 -0800
[email protected]@ -246,7 +246,10 @@
- 	       This prevents allocating too much in the rogue case of a large
- 	       input consisting initially of long sequence uft8-byte unicode
- 	       chars followed by single utf8-byte chars. */
--	    STRLEN remaining = (e - s)/usize;
-+	    /* +1 
-+	       fixes  Unicode.xs!decode_xs n-byte heap-overflow
-+	      */
-+	    STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
- 	    STRLEN max_alloc = remaining + (8*1024*1024);
- 	    STRLEN est_alloc = remaining * UTF8_MAXLEN;
- 	    STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
--- a/components/perl512/patches/patchlevel_h.patch	Mon Mar 11 10:06:51 2013 -0700
+++ b/components/perl512/patches/patchlevel_h.patch	Mon Mar 11 15:41:09 2013 -0700
@@ -1,12 +1,16 @@
 --- perl-5.12.4/patchlevel.h	2011-06-15 10:14:22.000000000 -0700
 +++ CGI.pm-3.59/patchlevel.h	2012-06-13 18:10:17.136255349 -0700
[email protected]@ -131,6 +131,9 @@
[email protected]@ -131,6 +131,13 @@
  	,"uncommitted-changes"
  #endif
  	PERL_GIT_UNPUSHED_COMMITS    	/* do not remove this line */
 +	,"7111771 Problem with utility/perl"
 +	,"7125218 Problem with utility/perl"
 +	,"7030196 Problem with utility/perl"
++	,"15820486 Problem with utility/perl"
++	,"15880426 Problem with utility/perl"
++	,"16417744 Problem with utility/perl"
++	,"16427786 Problem with utility/perl"
  	,NULL
  };
  
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/perl512/patches/rehash-5.12.5.patch	Mon Mar 11 15:41:09 2013 -0700
@@ -0,0 +1,165 @@
+From f2a571dae7d70f7e3b59022834d8003ecd2df884 Mon Sep 17 00:00:00 2001
+From: Yves Orton <[email protected]>
+Date: Tue, 12 Feb 2013 10:53:05 +0100
+Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH
+ after hsplit()
+
+Triggering a hsplit due to long chain length allows an attacker
+to create a carefully chosen set of keys which can cause the hash
+to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory
+exhaustion. Doing so also takes non trivial time.
+
+Eliminating this check, and only inspecting chain length after a
+normal hsplit() (triggered when keys>buckets) prevents the attack
+entirely, and makes such attacks relatively benign.
+
+(cherry picked from commit f1220d61455253b170e81427c9d0357831ca0fac)
+---
+ ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++--
+ hv.c                                | 26 ++++++--------------------
+ t/op/hash.t                         | 20 +++++++++++++++++---
+ 3 files changed, 39 insertions(+), 25 deletions(-)
+
+diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t
+index 2cfb4e8..d58f053 100644
+--- a/ext/Hash-Util-FieldHash/t/10_hash.t
++++ b/ext/Hash-Util-FieldHash/t/10_hash.t
[email protected]@ -38,15 +38,29 @@ use constant START     => "a";
+ 
+ # some initial hash data
+ fieldhash my %h2;
+-%h2 = map {$_ => 1} 'a'..'cc';
++my $counter= "a";
++$h2{$counter++}++ while $counter ne 'cd';
+ 
+ ok (!Internals::HvREHASH(%h2), 
+     "starting with pre-populated non-pathological hash (rehash flag if off)");
+ 
+ my @keys = get_keys(\%h2);
++my $buckets= buckets(\%h2);
+ $h2{$_}++ for @keys;
++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
+ ok (Internals::HvREHASH(%h2), 
+-    scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
++    scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
++
++# returns the number of buckets in a hash
++sub buckets {
++    my $hr = shift;
++    my $keys_buckets= scalar(%$hr);
++    if ($keys_buckets=~m!/([0-9]+)\z!) {
++        return 0+$1;
++    } else {
++        return 8;
++    }
++}
+ 
+ sub get_keys {
+     my $hr = shift;
+diff --git a/hv.c b/hv.c
+index 89c6456..8659678 100644
+--- a/hv.c
++++ b/hv.c
[email protected]@ -35,7 +35,8 @@ holds the key and hash value.
+ #define PERL_HASH_INTERNAL_ACCESS
+ #include "perl.h"
+ 
+-#define HV_MAX_LENGTH_BEFORE_SPLIT 14
++#define HV_MAX_LENGTH_BEFORE_REHASH 14
++#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */
+ 
+ static const char S_strtab_error[]
+     = "Cannot modify shared string table in hv_%s";
[email protected]@ -818,23 +819,8 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen,
+ 	xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
+ 	if (!counter) {				/* initial entry? */
+ 	    xhv->xhv_fill++; /* HvFILL(hv)++ */
+-	} else if (xhv->xhv_keys > (IV)xhv->xhv_max) {
++	} else if ( SHOULD_DO_HSPLIT(xhv) ) {
+ 	    hsplit(hv);
+-	} else if(!HvREHASH(hv)) {
+-	    U32 n_links = 1;
+-
+-	    while ((counter = HeNEXT(counter)))
+-		n_links++;
+-
+-	    if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) {
+-		/* Use only the old HvKEYS(hv) > HvMAX(hv) condition to limit
+-		   bucket splits on a rehashed hash, as we're not going to
+-		   split it again, and if someone is lucky (evil) enough to
+-		   get all the keys in one list they could exhaust our memory
+-		   as we repeatedly double the number of buckets on every
+-		   entry. Linear search feels a less worse thing to do.  */
+-		hsplit(hv);
+-	    }
+ 	}
+     }
+ 
[email protected]@ -1180,7 +1166,7 @@ S_hsplit(pTHX_ HV *hv)
+ 
+ 
+     /* Pick your policy for "hashing isn't working" here:  */
+-    if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked?  */
++    if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked?  */
+ 	|| HvREHASH(hv)) {
+ 	return;
+     }
[email protected]@ -2551,8 +2537,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags)
+ 	xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
+ 	if (!next) {			/* initial entry? */
+ 	    xhv->xhv_fill++; /* HvFILL(hv)++ */
+-	} else if (xhv->xhv_keys > (IV)xhv->xhv_max /* HvKEYS(hv) > HvMAX(hv) */) {
+-		hsplit(PL_strtab);
++	} else if ( SHOULD_DO_HSPLIT(xhv) ) {
++            hsplit(PL_strtab);
+ 	}
+     }
+ 
+diff --git a/t/op/hash.t b/t/op/hash.t
+index 9bde518..45eb782 100644
+--- a/t/op/hash.t
++++ b/t/op/hash.t
[email protected]@ -39,22 +39,36 @@ use constant THRESHOLD => 14;
+ use constant START     => "a";
+ 
+ # some initial hash data
+-my %h2 = map {$_ => 1} 'a'..'cc';
++my %h2;
++my $counter= "a";
++$h2{$counter++}++ while $counter ne 'cd';
+ 
+ ok (!Internals::HvREHASH(%h2), 
+     "starting with pre-populated non-pathological hash (rehash flag if off)");
+ 
+ my @keys = get_keys(\%h2);
++my $buckets= buckets(\%h2);
+ $h2{$_}++ for @keys;
++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
+ ok (Internals::HvREHASH(%h2), 
+-    scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
++    scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
++
++# returns the number of buckets in a hash
++sub buckets {
++    my $hr = shift;
++    my $keys_buckets= scalar(%$hr);
++    if ($keys_buckets=~m!/([0-9]+)\z!) {
++        return 0+$1;
++    } else {
++        return 8;
++    }
++}
+ 
+ sub get_keys {
+     my $hr = shift;
+ 
+     # the minimum of bits required to mount the attack on a hash
+     my $min_bits = log(THRESHOLD)/log(2);
+-
+     # if the hash has already been populated with a significant amount
+     # of entries the number of mask bits can be higher
+     my $keys = scalar keys %$hr;
+-- 
+1.8.1.3
+
+