diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2017-10-10 13:47:46 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-10-10 14:31:55 +0200 |
| commit | cd0cf727fceef7bea9e79276c4511ec704e6143b (patch) | |
| tree | bbde30e6d2b17d5c335939fb1cfec021a4fddcc1 | |
| parent | fdb75990b02bc777508a5a27ce0a01f817a98630 (diff) | |
| download | aports-cd0cf727fceef7bea9e79276c4511ec704e6143b.tar.bz2 aports-cd0cf727fceef7bea9e79276c4511ec704e6143b.tar.xz | |
main/perl: upgrade to 5.22.3 + security fixes
| -rw-r--r-- | main/perl/APKBUILD | 23 | ||||
| -rw-r--r-- | main/perl/CVE-2017-12837.patch | 11 | ||||
| -rw-r--r-- | main/perl/CVE-2017-12883.patch | 28 |
3 files changed, 57 insertions, 5 deletions
diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD index 6db1db1457..a559a81f1a 100644 --- a/main/perl/APKBUILD +++ b/main/perl/APKBUILD @@ -1,13 +1,15 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> pkgname=perl -pkgver=5.22.1 +pkgver=5.22.3 pkgrel=0 pkgdesc="Larry Wall's Practical Extraction and Report Language" url=http://www.perl.org arch="all" license="Artistic GPL2" source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz + CVE-2017-12837.patch + CVE-2017-12883.patch " options="!fhs" @@ -16,6 +18,12 @@ depends_dev="perl" makedepends= subpackages="$pkgname-dev $pkgname-doc miniperl" +# secfixes: +# 5.22.3-r0: +# - CVE-2016-1238 +# - CVE-2017-12837 +# - CVE-2017-12883 + _builddir="$srcdir/$pkgname-$pkgver" prepare() { @@ -96,7 +104,12 @@ dev() { done } - -md5sums="19295bbb775a3c36123161b9bf4892f1 perl-5.22.1.tar.gz" -sha256sums="2b475d0849d54c4250e9cba4241b7b7291cffb45dfd083b677ca7b5d38118f27 perl-5.22.1.tar.gz" -sha512sums="cead35f0dfea61104066a9e8e00bde7b33783f5f6cbef6c3307c3425453aec14c37775e9284b1235e9f14d76cae3455e3e215c16e31eee780917d9ec9490346a perl-5.22.1.tar.gz" +md5sums="aa4f236dc2fc6f88b871436b8d0fda95 perl-5.22.3.tar.gz +87bcffe2858d6a4d231e041bec899c5c CVE-2017-12837.patch +da495ec183af5a9386274587b4733620 CVE-2017-12883.patch" +sha256sums="1b351fb4df7e62ec3c8b2a9f516103595b2601291f659fef1bbe3917e8410083 perl-5.22.3.tar.gz +f8b16e586981ccd60308aaaa44243c1933536f373241f196f0a8f260893903ad CVE-2017-12837.patch +42197cd029998b56aa90d3fff9acee29f4f58ac9f8a240f96fd04a231e2bcb4b CVE-2017-12883.patch" +sha512sums="e0ec42ed99f565ee045ce188a2a22fc294f043a6983fe7dcc896ef5df30a05124f1ba0faea62ce128df769f9f12fae0f11422c7f63e95470534689ebbcbef272 perl-5.22.3.tar.gz +3125c66f7a810c24aad8ea7228cda9254f854b6cced0479c9d297879ccb8561469cf99d9b2a95df5fc1d23b485999d720d2cf1e2385d93510a700514e610e302 CVE-2017-12837.patch +40a3cfb663c7f1946a7b24dc97defd8f32889efb5d611e6ebef90b3dd3a5073de14728887ce028dbdd95aeb46e2dd05a0fa690ea580d6d108df751e43e1662f6 CVE-2017-12883.patch" diff --git a/main/perl/CVE-2017-12837.patch b/main/perl/CVE-2017-12837.patch new file mode 100644 index 0000000000..e4ec80fca1 --- /dev/null +++ b/main/perl/CVE-2017-12837.patch @@ -0,0 +1,11 @@ +--- a/regcomp.c ++++ b/regcomp.c +Upstream commit 96c83ed78aeea1a0496dd2b2d935869a822dc8a5 +@@ -13318,6 +13318,7 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth) + goto loopdone; + } + p = RExC_parse; ++ RExC_parse = parse_start; + if (ender > 0xff) { + REQUIRE_UTF8(flagp); + } diff --git a/main/perl/CVE-2017-12883.patch b/main/perl/CVE-2017-12883.patch new file mode 100644 index 0000000000..9f18f1c66b --- /dev/null +++ b/main/perl/CVE-2017-12883.patch @@ -0,0 +1,28 @@ +--- a/regcomp.c ++++ b/regcomp.c +Fixes CVE-2017-12883 for Perl 5.22 +Upstream commit 2be4edede4ae226e2eebd4eff28cedd2041f300f + +Note we had to change this patch slightly to get it to work with Perl 5.22. +We did this by taking their official patch URL (https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c) +and changing the first commit to be the Perl 5.22.4 commit (a26666a1317770d8a2228ac3657ba58020c3511f), +which resulted in a URL of https://perl5.git.perl.org/perl.git/blobdiff/a26666a1317770d8a2228ac3657ba58020c3511f..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c. +We then cherry picked this one change from that diff. +@@ -11303,13 +11303,15 @@ + } + sv_catpv(substitute_parse, ")"); + +- RExC_parse = SvPV(substitute_parse, len); ++ len = SvCUR(substitute_parse); + + /* Don't allow empty number */ + if (len < (STRLEN) 8) { + RExC_parse = endbrace; + vFAIL("Invalid hexadecimal number in \\N{U+...}"); + } ++ ++ RExC_parse = SvPV_nolen(substitute_parse); + RExC_end = RExC_parse + len; + + /* The values are Unicode, and therefore not subject to recoding, but + |