diff options
| -rw-r--r-- | main/perl/APKBUILD | 17 | ||||
| -rw-r--r-- | main/perl/CVE-2011-2939.patch | 16 | ||||
| -rw-r--r-- | main/perl/CVE-2011-3597.patch | 28 |
3 files changed, 58 insertions, 3 deletions
diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD index 650c3cfa70..6b5258243d 100644 --- a/main/perl/APKBUILD +++ b/main/perl/APKBUILD @@ -1,13 +1,17 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # Contributor: Leonardo Arena <rnalrd@gmail.com> pkgname=perl -pkgver=5.12.3 +pkgver=5.12.4 pkgrel=0 pkgdesc="Larry Wall's Practical Extraction and Report Language" url=http://www.perl.org arch="all" license="Artistic GPL-2" -source=http://www.perl.com/CPAN/src/perl-${pkgver}.tar.gz +source="http://www.perl.com/CPAN/src/perl-${pkgver}.tar.gz + CVE-2011-2939.patch + CVE-2011-3597.patch + " + depends= subpackages="$pkgname-dev $pkgname-doc miniperl" @@ -15,6 +19,11 @@ _builddir="$srcdir/$pkgname-$pkgver" prepare() { cd $_builddir + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done sed -i -e 's/less -R/less/g' ./Configure sed -i -e 's/libswanted="\(.*\) nsl\(.*\)"/libswanted="\1\2"/g' ./Configure } @@ -65,4 +74,6 @@ miniperl() { cp "$srcdir/perl-$pkgver"/miniperl "$subpkgdir/usr/bin" } -md5sums="29975a69dce54e47fcd6331c085c6c99 perl-5.12.3.tar.gz" +md5sums="fd22aba88e4e27ab879f142eec6452a0 perl-5.12.4.tar.gz +c0674ead60e89c20e2c8d9bbc2d7683a CVE-2011-2939.patch +0212067da7d533fe3939c0984cad4243 CVE-2011-3597.patch" diff --git a/main/perl/CVE-2011-2939.patch b/main/perl/CVE-2011-2939.patch new file mode 100644 index 0000000000..7b5068d473 --- /dev/null +++ b/main/perl/CVE-2011-2939.patch @@ -0,0 +1,16 @@ +diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs +index 16f4cd1..039f155 100644 +--- a/cpan/Encode/Unicode/Unicode.xs ++++ b/cpan/Encode/Unicode/Unicode.xs +@@ -256,7 +256,10 @@ CODE: + This prevents allocating too much in the rogue case of a large + input consisting initially of long sequence uft8-byte unicode + chars followed by single utf8-byte chars. */ +- STRLEN remaining = (e - s)/usize; ++ /* +1 ++ fixes Unicode.xs!decode_xs n-byte heap-overflow ++ */ ++ STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ + STRLEN max_alloc = remaining + (8*1024*1024); + STRLEN est_alloc = remaining * UTF8_MAXLEN; + STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ diff --git a/main/perl/CVE-2011-3597.patch b/main/perl/CVE-2011-3597.patch new file mode 100644 index 0000000000..dc7cc2d749 --- /dev/null +++ b/main/perl/CVE-2011-3597.patch @@ -0,0 +1,28 @@ +From dbcab24bb98b4a243c8330bc7017c2080832b3f9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Tue, 4 Oct 2011 13:46:39 +0200 +Subject: [PATCH] Fix code injection in Digest + +See <https://bugzilla.redhat.com/show_bug.cgi?id=743010> for more details. +--- + cpan/Digest/Digest.pm | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm +index 384dfc8..4b923ae 100644 +--- a/cpan/Digest/Digest.pm ++++ b/cpan/Digest/Digest.pm +@@ -35,7 +35,9 @@ sub new + ($class, @args) = @$class if ref($class); + no strict 'refs'; + unless (exists ${"$class\::"}{"VERSION"}) { +- eval "require $class"; ++ my $pm_file = $class . ".pm"; ++ $pm_file =~ s{::}{/}g; ++ eval { require $pm_file }; + if ($@) { + $err ||= $@; + next; +-- +1.7.6.4 + |