Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected]
Hi, I'd like to fix #994834 in perl/bullseye. It's a memory leak regression from buster. The fix is from upstream Perl 5.34 and the patch applied as-is to 5.32. It's included in unstable as of 5.32.1-6 which recently migrated to testing as well (so it triggered no autopkgtest regressions.) The patch includes a build time regression test. Debdiff against 5.32.1-4+deb11u1 in stable-security attached. I expect this is uncontroversial so I've just uploaded without waiting for an explicit ack. Thanks for your work, -- Niko Tyni [email protected]
diff -Nru perl-5.32.1/debian/changelog perl-5.32.1/debian/changelog --- perl-5.32.1/debian/changelog 2021-08-05 22:26:55.000000000 +0300 +++ perl-5.32.1/debian/changelog 2021-09-24 19:10:58.000000000 +0300 @@ -1,3 +1,9 @@ +perl (5.32.1-4+deb11u2) bullseye; urgency=medium + + * Apply upstream patch fixing a regexp memory leak. (Closes: #994834) + + -- Niko Tyni <[email protected]> Fri, 24 Sep 2021 19:10:58 +0300 + perl (5.32.1-4+deb11u1) bullseye-security; urgency=high * [SECURITY] CVE-2021-36770: Encode loading code from working directory diff -Nru perl-5.32.1/debian/patches/fixes/regcomp-memleak.diff perl-5.32.1/debian/patches/fixes/regcomp-memleak.diff --- perl-5.32.1/debian/patches/fixes/regcomp-memleak.diff 1970-01-01 02:00:00.000000000 +0200 +++ perl-5.32.1/debian/patches/fixes/regcomp-memleak.diff 2021-09-24 19:10:52.000000000 +0300 @@ -0,0 +1,69 @@ +From: Karl Williamson <[email protected]> +Date: Sat, 27 Feb 2021 11:43:41 -0700 +Subject: regcomp.c: Remove memory leak + +This fixes GH #18604. There was a path through the code where a +particular SV did not get its reference count decremented. + +I did an audit of the function and came up with several other +possiblities that are included in this commit. + +Further, there would be leaks for some instances of finding syntax +errors in the input pattern, or when warnings are fatalized. Those +would require mortalizing some SVs, but that is beyond the scope of this +commit. + +Origin: backport, https://github.com/Perl/perl5/commit/5f41fa466a67b5535aa8bcf4b814f242545ac7bd +Bug: https://github.com/Perl/perl5/issues/18604 +Bug-Debian: https://bugs.debian.org/994834 +--- + regcomp.c | 7 +++++++ + t/op/svleak.t | 3 ++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/regcomp.c b/regcomp.c +index 0da659c..5c72ff7 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -18626,6 +18626,12 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, + RExC_end = save_end; + RExC_in_multi_char_class = 0; + SvREFCNT_dec_NN(multi_char_matches); ++ SvREFCNT_dec(properties); ++ SvREFCNT_dec(cp_list); ++ SvREFCNT_dec(simple_posixes); ++ SvREFCNT_dec(posixes); ++ SvREFCNT_dec(nposixes); ++ SvREFCNT_dec(cp_foldable_list); + return ret; + } + +@@ -19983,6 +19989,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, + RExC_parse - orig_parse);; + SvREFCNT_dec(cp_list);; + SvREFCNT_dec(only_utf8_locale_list); ++ SvREFCNT_dec(upper_latin1_only_utf8_matches); + return ret; + } + +diff --git a/t/op/svleak.t b/t/op/svleak.t +index 6acc298..3df4838 100644 +--- a/t/op/svleak.t ++++ b/t/op/svleak.t +@@ -15,7 +15,7 @@ BEGIN { + + use Config; + +-plan tests => 150; ++plan tests => 151; + + # run some code N times. If the number of SVs at the end of loop N is + # greater than (N-1)*delta at the end of loop 1, we've got a leak +@@ -278,6 +278,7 @@ eleak(2,0,'/[[:ascii:]]/'); + eleak(2,0,'/[[.zog.]]/'); + eleak(2,0,'/[.zog.]/'); + eleak(2,0,'/|\W/', '/|\W/ [perl #123198]'); ++eleak(2,0,'/a\sb/', '/a\sb/ [GH #18604]'); + eleak(2,0,'no warnings; /(?[])/'); + eleak(2,0,'no warnings; /(?[[a]+[b]])/'); + eleak(2,0,'no warnings; /(?[[a]-[b]])/'); diff -Nru perl-5.32.1/debian/patches/series perl-5.32.1/debian/patches/series --- perl-5.32.1/debian/patches/series 2021-08-05 22:26:55.000000000 +0300 +++ perl-5.32.1/debian/patches/series 2021-09-24 19:10:52.000000000 +0300 @@ -44,3 +44,4 @@ fixes/hurd-cachepropagate-test-fix.diff fixes/io_socket_ip_ipv6.diff fixes/encode-CVE-2021-36770.diff +fixes/regcomp-memleak.diff
