Submitted By: Ken Moffat Date: 2011-11-16 Initial Package Version: 5.10-series Upstream Status: Applied Origin: found at debian Description: Fixes for CVE-2011-2939 and CVE-2011-3597, backported to perl-5.10. These probably also apply to perl-5.8 >= 5.8.5 if anyone is still using that. For 5.10.1 these should be applied with the utf8-1.patch. 1. From dbcab24bb98b4a243c8330bc7017c2080832b3f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 4 Oct 2011 13:46:39 +0200 Subject: [PATCH] Fix code injection in Digest See for more details. --- lib/Digest/Digest.pm | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) Backported to 5.10 by Ken Moffat (file is in lib/ not cpan/Digest/) 2. From 2e6e1e81494d349380e13ca735d1774bf124bd60 Mon Sep 17 00:00:00 2001 From: Chris 'BinGOs' Williams Date: Wed, 10 Aug 2011 19:09:32 +0100 Subject: Fix decode_xs n-byte heap-overflow security bug in Unicode.xs Bug-Debian: http://bugs.debian.org/637376 Origin: http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5 Backported to 5.10 (file is in ext/ not cpan/) by Ken Moffat --- ext/Encode/Unicode/Unicode.xs | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/lib/Digest.pm b/lib/Digest.pm index 384dfc8..4b923ae 100644 --- a/lib/Digest.pm +++ b/lib/Digest.pm @@ -35,7 +35,9 @@ sub new ($class, @args) = @$class if ref($class); no strict 'refs'; unless (exists ${"$class\::"}{"VERSION"}) { - eval "require $class"; + my $pm_file = $class . ".pm"; + $pm_file =~ s{::}{/}g; + eval { require $pm_file }; if ($@) { $err ||= $@; next; -- diff --git a/ext/Encode/Unicode/Unicode.xs b/ext/Encode/Unicode/Unicode.xs index 9741626..70ae001 100644 --- a/ext/Encode/Unicode/Unicode.xs +++ b/ext/Encode/Unicode/Unicode.xs @@ -246,7 +246,10 @@ CODE: This prevents allocating too much in the rogue case of a large input consisting initially of long sequence uft8-byte unicode chars followed by single utf8-byte chars. */ - STRLEN remaining = (e - s)/usize; + /* +1 + fixes Unicode.xs!decode_xs n-byte heap-overflow + */ + STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ STRLEN max_alloc = remaining + (8*1024*1024); STRLEN est_alloc = remaining * UTF8_MAXLEN; STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ 1.7.6.4