Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
Date: 2011-11-16
Initial Package Version: 5.10-series
Upstream Status: Applied
Origin: found at debian
Description:

 Fixes for CVE-2011-2939 and CVE-2011-3597, backported to perl-5.10.
These probably also apply to perl-5.8 >= 5.8.5 if anyone is still using that.

 For 5.10.1 these should be applied with the utf8-1.patch.

1. From dbcab24bb98b4a243c8330bc7017c2080832b3f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 4 Oct 2011 13:46:39 +0200
Subject: [PATCH] Fix code injection in Digest

See <https://bugzilla.redhat.com/show_bug.cgi?id=743010> for more details.
---
 lib/Digest/Digest.pm |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

 Backported to 5.10 by Ken Moffat (file is in lib/ not cpan/Digest/)

2. From 2e6e1e81494d349380e13ca735d1774bf124bd60 Mon Sep 17 00:00:00 2001
From: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
Date: Wed, 10 Aug 2011 19:09:32 +0100
Subject: Fix decode_xs n-byte heap-overflow security bug in Unicode.xs

Bug-Debian: http://bugs.debian.org/637376
Origin: http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5

 Backported to 5.10 (file is in ext/ not cpan/) by Ken Moffat

---
 ext/Encode/Unicode/Unicode.xs |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/lib/Digest.pm b/lib/Digest.pm
index 384dfc8..4b923ae 100644
--- a/lib/Digest.pm
+++ b/lib/Digest.pm
@@ -35,7 +35,9 @@ sub new
 	($class, @args) = @$class if ref($class);
 	no strict 'refs';
 	unless (exists ${"$class\::"}{"VERSION"}) {
-	    eval "require $class";
+	    my $pm_file = $class . ".pm";
+	    $pm_file =~ s{::}{/}g;
+	    eval { require $pm_file };
 	    if ($@) {
 		$err ||= $@;
 		next;
-- 

diff --git a/ext/Encode/Unicode/Unicode.xs b/ext/Encode/Unicode/Unicode.xs
index 9741626..70ae001 100644
--- a/ext/Encode/Unicode/Unicode.xs
+++ b/ext/Encode/Unicode/Unicode.xs
@@ -246,7 +246,10 @@ CODE:
 	       This prevents allocating too much in the rogue case of a large
 	       input consisting initially of long sequence uft8-byte unicode
 	       chars followed by single utf8-byte chars. */
-	    STRLEN remaining = (e - s)/usize;
+            /* +1 
+               fixes  Unicode.xs!decode_xs n-byte heap-overflow
+              */
+	    STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
 	    STRLEN max_alloc = remaining + (8*1024*1024);
 	    STRLEN est_alloc = remaining * UTF8_MAXLEN;
 	    STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
1.7.6.4