From 9f81b5131119b07ed7a8d352cfd5a699e1eea4a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Wed, 17 Feb 2016 17:14:50 +0100
Subject: Fix CVE-2016-2381 (ambiguous environment variables handling)
---
...licate-environment-variables-from-environ.patch | 112 +++++++++++++++++++++
perl.spec | 11 +-
2 files changed, 122 insertions(+), 1 deletion(-)
create mode 100644
perl-5.23.8-remove-duplicate-environment-variables-from-environ.patch
diff --git
a/perl-5.23.8-remove-duplicate-environment-variables-from-environ.patch
b/perl-5.23.8-remove-duplicate-environment-variables-from-environ.patch
new file mode 100644
index 0000000..c2bd72d
--- /dev/null
+++ b/perl-5.23.8-remove-duplicate-environment-variables-from-environ.patch
@@ -0,0 +1,112 @@
+From ae37b791a73a9e78dedb89fb2429d2628cf58076 Mon Sep 17 00:00:00 2001
+From: Tony Cook <t...@develop-help.com>
+Date: Wed, 27 Jan 2016 11:52:15 +1100
+Subject: [PATCH] remove duplicate environment variables from environ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If we see duplicate environment variables while iterating over
+environ[]:
+
+a) make sure we use the same value in %ENV that getenv() returns.
+
+Previously on a duplicate, %ENV would have the last entry for the name
+from environ[], but a typical getenv() would return the first entry.
+
+Rather than assuming all getenv() implementations return the first entry
+explicitly call getenv() to ensure they agree.
+
+b) remove duplicate entries from environ
+
+Previously if there was a duplicate definition for a name in environ[]
+setting that name in %ENV could result in an unsafe value being passed
+to a child process, so ensure environ[] has no duplicates.
+
+CVE-2016-2381
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 49 insertions(+), 2 deletions(-)
+
+diff --git a/perl.c b/perl.c
+index 4a324c6..5c71fd0 100644
+--- a/perl.c
++++ b/perl.c
+@@ -4329,23 +4329,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv,
char **env)
+ }
+ if (env) {
+ char *s, *old_var;
++ STRLEN nlen;
+ SV *sv;
++ HV *dups = newHV();
++
+ for (; *env; env++) {
+ old_var = *env;
+
+ if (!(s = strchr(old_var,'=')) || s == old_var)
+ continue;
++ nlen = s - old_var;
+
+ #if defined(MSDOS) && !defined(DJGPP)
+ *s = '\0';
+ (void)strupr(old_var);
+ *s = '=';
+ #endif
+- sv = newSVpv(s+1, 0);
+- (void)hv_store(hv, old_var, s - old_var, sv, 0);
++ if (hv_exists(hv, old_var, nlen)) {
++ const char *name = savepvn(old_var, nlen);
++
++ /* make sure we use the same value as getenv(), otherwise
code that
++ uses getenv() (like setlocale()) might see a different
value to %ENV
++ */
++ sv = newSVpv(PerlEnv_getenv(name), 0);
++
++ /* keep a count of the dups of this name so we can de-dup
environ later */
++ if (hv_exists(dups, name, nlen))
++ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
++ else
++ (void)hv_store(dups, name, nlen, newSViv(1), 0);
++
++ Safefree(name);
++ }
++ else {
++ sv = newSVpv(s+1, 0);
++ }
++ (void)hv_store(hv, old_var, nlen, sv, 0);
+ if (env_is_not_environ)
+ mg_set(sv);
+ }
++ if (HvKEYS(dups)) {
++ /* environ has some duplicate definitions, remove them */
++ HE *entry;
++ hv_iterinit(dups);
++ while ((entry = hv_iternext_flags(dups, 0))) {
++ STRLEN nlen;
++ const char *name = HePV(entry, nlen);
++ IV count = SvIV(HeVAL(entry));
++ IV i;
++ SV **valp = hv_fetch(hv, name, nlen, 0);
++
++ assert(valp);
++
++ /* try to remove any duplicate names, depending on the
++ * implementation used in my_setenv() the iteration might
++ * not be necessary, but let's be safe.
++ */
++ for (i = 0; i < count; ++i)
++ my_setenv(name, 0);
++
++ /* and set it back to the value we set $ENV{name} to */
++ my_setenv(name, SvPV_nolen(*valp));
++ }
++ }
++ SvREFCNT_dec_NN(dups);
+ }
+ #endif /* USE_ENVIRON_ARRAY */
+ #endif /* !PERL_MICRO */
+--
+2.5.0
+
diff --git a/perl.spec b/perl.spec
index b068ffc..256ca51 100644
--- a/perl.spec
+++ b/perl.spec
@@ -30,7 +30,7 @@
Name: perl
Version: %{perl_version}
# release number must be even higher, because dual-lived modules will be
broken otherwise
-Release: 328%{?dist}
+Release: 329%{?dist}
Epoch: %{perl_epoch}
Summary: Practical Extraction and Report Language
Group: Development/Languages
@@ -109,6 +109,10 @@ Patch28:
perl-5.21.6-t-op-taint.t-Perform-SHA-256-algorithm-by-crypt-if-d
# riIn upstream after 5.21.3
Patch29: perl-5.21.3-fix-debugger-y-command-scope-level.patch
+# Fix CVE-2016-2381 (ambiguous environment variables handling), bug #1313702,
+# in upstream after 5.23.8
+Patch30:
perl-5.23.8-remove-duplicate-environment-variables-from-environ.patch
+
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200:
perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@@ -2048,6 +2052,7 @@ tarball from perl.org.
%patch27 -p1
%patch28 -p1
%patch29 -p1
+%patch30 -p1
%patch200 -p1
%patch201 -p1
@@ -2070,6 +2075,7 @@ perl -x patchlevel.h \
'Fedora Patch27: Report inaccesible file on failed require (RT#123270)' \
'Fedora Patch28: Use stronger algorithm needed for FIPS in t/op/taint.t
(RT#123338)' \
'Fedora Patch29: Fix debugger y command scope level' \
+ 'Fedora Patch30: Fix CVE-2016-2381 (ambiguous environment variables
handling)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on
Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil}
@@ -3923,6 +3929,9 @@ sed \
# Old changelog entries are preserved in CVS.
%changelog
+* Wed Mar 02 2016 Petr Pisar <ppi...@redhat.com> - 4:5.20.3-329
+- Fix CVE-2016-2381 (ambiguous environment variables handling) (bug #1313702)
+
* Thu Sep 24 2015 Jitka Plesnikova <jples...@redhat.com> - 4:5.20.3-328
- Fix debugger y command scope level (bug #1129850)
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl.git/commit/?h=f22&id=9f81b5131119b07ed7a8d352cfd5a699e1eea4a8
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org
