Re: Patch for Data::Dumper - CVE-2014-4330
Hi Alexander,
Alexander Bluhm wrote on Fri, Oct 24, 2014 at 10:55:07PM +0200:
On Fri, Oct 24, 2014 at 10:40:55PM +0200, Alexander Bluhm wrote:
Here is the diff that applies to -current. I have compared it with
the perl git and with Data::Dumper on CPAN. It looks correct.
Confirmed.
I have forgotten to cvs add dist/Data-Dumper/t/recurse.t
so here is the diff with the new test.
ok?
Reads good. Also checked that the test suite succeeds
and that mitigation is effective (on i386).
So *if* we decide to patch it, ok schwarze@ for this version of the patch.
It physically and logically conflicts with future Perl updates,
though (changes to the same lines; changing the parameter lists
of the same functions in different ways). I think it would be
nice to hear how Andrew thinks such issues should be addressed
to minimize the pain during future Perl updates.
Alternatively we could update Data::Dumper to 2.154.
I'd say answering that question is at least in part Andrew's call.
I'm not sure whether that makes the upcoming 1.20 update easier
or harder.
Yours,
Ingo
Index: gnu/usr.bin/perl/MANIFEST
===
RCS file: /data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/MANIFEST,v
retrieving revision 1.29
diff -u -p -u -p -r1.29 MANIFEST
--- gnu/usr.bin/perl/MANIFEST 24 Mar 2014 15:05:12 - 1.29
+++ gnu/usr.bin/perl/MANIFEST 24 Oct 2014 20:19:35 -
@@ -3155,6 +3155,7 @@ dist/Data-Dumper/t/perl-74170.t Regressi
dist/Data-Dumper/t/purity_deepcopy_maxdepth.tSee if three
Data::Dumper functions work
dist/Data-Dumper/t/qr.t See if Data::Dumper works with qr|/|
dist/Data-Dumper/t/quotekeys.t See if Data::Dumper::Quotekeys works
+dist/Data-Dumper/t/recurse.t See if Data::Dumper::Maxrecurse works
dist/Data-Dumper/t/seen.tSee if Data::Dumper::Seen works
dist/Data-Dumper/t/sortkeys.tSee if Data::Dumper::Sortkeys works
dist/Data-Dumper/t/sparseseen.t See if Data::Dumper::Sparseseen works
Index: gnu/usr.bin/perl/patchlevel.h
===
RCS file: /data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/patchlevel.h,v
retrieving revision 1.34
diff -u -p -u -p -r1.34 patchlevel.h
--- gnu/usr.bin/perl/patchlevel.h 5 Sep 2014 06:53:07 - 1.34
+++ gnu/usr.bin/perl/patchlevel.h 24 Oct 2014 20:25:05 -
@@ -134,6 +134,7 @@ hunk.
static const char * const local_patches[] = {
NULL
,Update libnet to 1.27
+ ,CVE-2014-4330
#ifdef PERL_GIT_UNCOMMITTED_CHANGES
,uncommitted-changes
#endif
Index: gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm
===
RCS file:
/data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm,v
retrieving revision 1.1.1.3
diff -u -p -u -p -r1.1.1.3 Dumper.pm
--- gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm 24 Mar 2014 14:58:59
- 1.1.1.3
+++ gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm 24 Oct 2014 20:19:35
-
@@ -56,6 +56,7 @@ $Useperl= 0 unless defined $
$Sortkeys = 0 unless defined $Sortkeys;
$Deparse= 0 unless defined $Deparse;
$Sparseseen = 0 unless defined $Sparseseen;
+$Maxrecurse = 1000 unless defined $Maxrecurse;
#
# expects an arrayref of values to be dumped.
@@ -92,6 +93,7 @@ sub new {
'bless'= $Bless,# keyword to use for bless
#expdepth = $Expdepth, # cutoff depth for explicit dumping
maxdepth = $Maxdepth, # depth beyond which we give up
+ maxrecurse = $Maxrecurse, # depth beyond which we abort
useperl= $Useperl,# use the pure Perl implementation
sortkeys = $Sortkeys, # flag or filter for sorting hash keys
deparse= $Deparse,# use B::Deparse for coderefs
@@ -351,6 +353,12 @@ sub _dump {
return qq['$val'];
}
+# avoid recursing infinitely [perl #122111]
+if ($s-{maxrecurse} 0
+and $s-{level} = $s-{maxrecurse}) {
+die Recursion limit of $s-{maxrecurse} exceeded;
+}
+
# we have a blessed ref
my ($blesspad);
if ($realpack and !$no_bless) {
@@ -683,6 +691,11 @@ sub Maxdepth {
defined($v) ? (($s-{'maxdepth'} = $v), return $s) : $s-{'maxdepth'};
}
+sub Maxrecurse {
+ my($s, $v) = @_;
+ defined($v) ? (($s-{'maxrecurse'} = $v), return $s) : $s-{'maxrecurse'};
+}
+
sub Useperl {
my($s, $v) = @_;
defined($v) ? (($s-{'useperl'} = $v), return $s) : $s-{'useperl'};
@@ -1105,6 +1118,16 @@ we don't venture into a structure. Has
CData::Dumper::Purity is set. (Useful in debugger when we often don't
want to see more than enough). Default is 0, which means there is
no maximum depth.
+
+=item *
+
+$Data::Dumper::Maxrecurse Ior $IOBJ-Maxrecurse(I[NEWVAL])
+
+Can be set to a positive integer that specifies
Re: Patch for Data::Dumper - CVE-2014-4330
Although I don't have time to look in great detail, it seems ok on my phone. It
should not effect the update to 5.20 which looks pretty good (apart from vax).
Hopefully being away from the computer this weekend will make my brain grok gdb
and vax enough after work that I can get 5.20 moving forward.
I am happy with just patching and trust ingo's ok.
I will be updating some mail filters as I somehow missed this patch on p5p.
On October 25, 2014 10:59:05 AM PDT, Ingo Schwarze schwa...@usta.de wrote:
Hi Alexander,
Alexander Bluhm wrote on Fri, Oct 24, 2014 at 10:55:07PM +0200:
On Fri, Oct 24, 2014 at 10:40:55PM +0200, Alexander Bluhm wrote:
Here is the diff that applies to -current. I have compared it with
the perl git and with Data::Dumper on CPAN. It looks correct.
Confirmed.
I have forgotten to cvs add dist/Data-Dumper/t/recurse.t
so here is the diff with the new test.
ok?
Reads good. Also checked that the test suite succeeds
and that mitigation is effective (on i386).
So *if* we decide to patch it, ok schwarze@ for this version of the
patch.
It physically and logically conflicts with future Perl updates,
though (changes to the same lines; changing the parameter lists
of the same functions in different ways). I think it would be
nice to hear how Andrew thinks such issues should be addressed
to minimize the pain during future Perl updates.
Alternatively we could update Data::Dumper to 2.154.
I'd say answering that question is at least in part Andrew's call.
I'm not sure whether that makes the upcoming 1.20 update easier
or harder.
Yours,
Ingo
Index: gnu/usr.bin/perl/MANIFEST
===
RCS file: /data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/MANIFEST,v
retrieving revision 1.29
diff -u -p -u -p -r1.29 MANIFEST
--- gnu/usr.bin/perl/MANIFEST24 Mar 2014 15:05:12 - 1.29
+++ gnu/usr.bin/perl/MANIFEST24 Oct 2014 20:19:35 -
@@ -3155,6 +3155,7 @@ dist/Data-Dumper/t/perl-74170.tRegressi
dist/Data-Dumper/t/purity_deepcopy_maxdepth.t See if three
Data::Dumper functions work
dist/Data-Dumper/t/qr.t See if Data::Dumper works with qr|/|
dist/Data-Dumper/t/quotekeys.t See if Data::Dumper::Quotekeys works
+dist/Data-Dumper/t/recurse.tSee if Data::Dumper::Maxrecurse works
dist/Data-Dumper/t/seen.t See if Data::Dumper::Seen works
dist/Data-Dumper/t/sortkeys.t See if Data::Dumper::Sortkeys works
dist/Data-Dumper/t/sparseseen.t See if Data::Dumper::Sparseseen
works
Index: gnu/usr.bin/perl/patchlevel.h
===
RCS file:
/data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/patchlevel.h,v
retrieving revision 1.34
diff -u -p -u -p -r1.34 patchlevel.h
--- gnu/usr.bin/perl/patchlevel.h5 Sep 2014 06:53:07 - 1.34
+++ gnu/usr.bin/perl/patchlevel.h24 Oct 2014 20:25:05 -
@@ -134,6 +134,7 @@ hunk.
static const char * const local_patches[] = {
NULL
,Update libnet to 1.27
+,CVE-2014-4330
#ifdef PERL_GIT_UNCOMMITTED_CHANGES
,uncommitted-changes
#endif
Index: gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm
===
RCS file:
/data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm,v
retrieving revision 1.1.1.3
diff -u -p -u -p -r1.1.1.3 Dumper.pm
--- gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm 24 Mar 2014 14:58:59
- 1.1.1.3
+++ gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm 24 Oct 2014 20:19:35
-
@@ -56,6 +56,7 @@ $Useperl= 0 unless defined $
$Sortkeys = 0 unless defined $Sortkeys;
$Deparse= 0 unless defined $Deparse;
$Sparseseen = 0 unless defined $Sparseseen;
+$Maxrecurse = 1000 unless defined $Maxrecurse;
#
# expects an arrayref of values to be dumped.
@@ -92,6 +93,7 @@ sub new {
'bless'= $Bless,# keyword to use for bless
#expdepth = $Expdepth, # cutoff depth for explicit
dumping
maxdepth = $Maxdepth, # depth beyond which we give up
+maxrecurse = $Maxrecurse, # depth beyond which we abort
useperl= $Useperl,# use the pure Perl
implementation
sortkeys = $Sortkeys, # flag or filter for sorting hash
keys
deparse= $Deparse,# use B::Deparse for coderefs
@@ -351,6 +353,12 @@ sub _dump {
return qq['$val'];
}
+# avoid recursing infinitely [perl #122111]
+if ($s-{maxrecurse} 0
+and $s-{level} = $s-{maxrecurse}) {
+die Recursion limit of $s-{maxrecurse} exceeded;
+}
+
# we have a blessed ref
my ($blesspad);
if ($realpack and !$no_bless) {
@@ -683,6 +691,11 @@ sub Maxdepth {
defined($v) ? (($s-{'maxdepth'} = $v), return $s) :
$s-{'maxdepth'};
}
+sub Maxrecurse {
+ my($s, $v) = @_;
+ defined($v) ? (($s-{'maxrecurse'}
Re: Patch for Data::Dumper - CVE-2014-4330
On Fri, Oct 24, 2014 at 10:40:55PM +0200, Alexander Bluhm wrote:
Here is the diff that applies to -current. I have compared it with
the perl git and with Data::Dumper on CPAN. It looks correct.
I have forgotten to cvs add dist/Data-Dumper/t/recurse.t
so here is the diff with the new test.
ok?
bluhm
Index: gnu/usr.bin/perl/MANIFEST
===
RCS file: /data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/MANIFEST,v
retrieving revision 1.29
diff -u -p -u -p -r1.29 MANIFEST
--- gnu/usr.bin/perl/MANIFEST 24 Mar 2014 15:05:12 - 1.29
+++ gnu/usr.bin/perl/MANIFEST 24 Oct 2014 20:19:35 -
@@ -3155,6 +3155,7 @@ dist/Data-Dumper/t/perl-74170.t Regressi
dist/Data-Dumper/t/purity_deepcopy_maxdepth.t See if three Data::Dumper
functions work
dist/Data-Dumper/t/qr.tSee if Data::Dumper works with qr|/|
dist/Data-Dumper/t/quotekeys.t See if Data::Dumper::Quotekeys works
+dist/Data-Dumper/t/recurse.t See if Data::Dumper::Maxrecurse works
dist/Data-Dumper/t/seen.t See if Data::Dumper::Seen works
dist/Data-Dumper/t/sortkeys.t See if Data::Dumper::Sortkeys works
dist/Data-Dumper/t/sparseseen.tSee if Data::Dumper::Sparseseen works
Index: gnu/usr.bin/perl/patchlevel.h
===
RCS file: /data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/patchlevel.h,v
retrieving revision 1.34
diff -u -p -u -p -r1.34 patchlevel.h
--- gnu/usr.bin/perl/patchlevel.h 5 Sep 2014 06:53:07 - 1.34
+++ gnu/usr.bin/perl/patchlevel.h 24 Oct 2014 20:25:05 -
@@ -134,6 +134,7 @@ hunk.
static const char * const local_patches[] = {
NULL
,Update libnet to 1.27
+ ,CVE-2014-4330
#ifdef PERL_GIT_UNCOMMITTED_CHANGES
,uncommitted-changes
#endif
Index: gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm
===
RCS file:
/data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm,v
retrieving revision 1.1.1.3
diff -u -p -u -p -r1.1.1.3 Dumper.pm
--- gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm 24 Mar 2014 14:58:59 -
1.1.1.3
+++ gnu/usr.bin/perl/dist/Data-Dumper/Dumper.pm 24 Oct 2014 20:19:35 -
@@ -56,6 +56,7 @@ $Useperl= 0 unless defined $
$Sortkeys = 0 unless defined $Sortkeys;
$Deparse= 0 unless defined $Deparse;
$Sparseseen = 0 unless defined $Sparseseen;
+$Maxrecurse = 1000 unless defined $Maxrecurse;
#
# expects an arrayref of values to be dumped.
@@ -92,6 +93,7 @@ sub new {
'bless'= $Bless,# keyword to use for bless
#expdepth = $Expdepth, # cutoff depth for explicit dumping
maxdepth = $Maxdepth, # depth beyond which we give up
+ maxrecurse = $Maxrecurse, # depth beyond which we abort
useperl= $Useperl,# use the pure Perl implementation
sortkeys = $Sortkeys, # flag or filter for sorting hash keys
deparse= $Deparse,# use B::Deparse for coderefs
@@ -351,6 +353,12 @@ sub _dump {
return qq['$val'];
}
+# avoid recursing infinitely [perl #122111]
+if ($s-{maxrecurse} 0
+and $s-{level} = $s-{maxrecurse}) {
+die Recursion limit of $s-{maxrecurse} exceeded;
+}
+
# we have a blessed ref
my ($blesspad);
if ($realpack and !$no_bless) {
@@ -683,6 +691,11 @@ sub Maxdepth {
defined($v) ? (($s-{'maxdepth'} = $v), return $s) : $s-{'maxdepth'};
}
+sub Maxrecurse {
+ my($s, $v) = @_;
+ defined($v) ? (($s-{'maxrecurse'} = $v), return $s) : $s-{'maxrecurse'};
+}
+
sub Useperl {
my($s, $v) = @_;
defined($v) ? (($s-{'useperl'} = $v), return $s) : $s-{'useperl'};
@@ -1105,6 +1118,16 @@ we don't venture into a structure. Has
CData::Dumper::Purity is set. (Useful in debugger when we often don't
want to see more than enough). Default is 0, which means there is
no maximum depth.
+
+=item *
+
+$Data::Dumper::Maxrecurse Ior $IOBJ-Maxrecurse(I[NEWVAL])
+
+Can be set to a positive integer that specifies the depth beyond which
+recursion into a structure will throw an exception. This is intended
+as a security measure to prevent perl running out of stack space when
+dumping an excessively deep structure. Can be set to 0 to remove the
+limit. Default is 1000.
=item *
Index: gnu/usr.bin/perl/dist/Data-Dumper/Dumper.xs
===
RCS file:
/data/mirror/openbsd/cvs/src/gnu/usr.bin/perl/dist/Data-Dumper/Dumper.xs,v
retrieving revision 1.1.1.3
diff -u -p -u -p -r1.1.1.3 Dumper.xs
--- gnu/usr.bin/perl/dist/Data-Dumper/Dumper.xs 24 Mar 2014 14:58:59 -
1.1.1.3
+++ gnu/usr.bin/perl/dist/Data-Dumper/Dumper.xs 24 Oct 2014 20:22:57 -
@@ -26,7 +26,8 @@ static I32 DD_dump (pTHX_ SV *val, const
SV *pad, SV *xpad, SV *apad, SV *sep, SV *pair,
SV *freezer, SV
