--- /dev/null
+From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001
+From: Brian Carlson <brian.carlson@cpanel.net>
+Date: Wed, 28 Nov 2012 08:54:33 -0500
+Subject: [PATCH] Fix misparsing of maketext strings.
+
+Case 61251: This commit fixes a misparse of maketext strings that could
+lead to arbitrary code execution. Basically, maketext was compiling
+bracket notation into functions, but neglected to escape backslashes
+inside the content or die on fully-qualified method names when
+generating the code. This change escapes all such backslashes and dies
+when a method name with a colon or apostrophe is specified.
+---
+ AUTHORS | 1 +
+ dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++----------------
+ 2 files changed, 9 insertions(+), 16 deletions(-)
+
+Upstream-Status: Backport
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+
+diff --git a/AUTHORS b/AUTHORS
+index 70734b0..009dea0 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -154,6 +154,7 @@ Breno G. de Oliveira <garu@cpan.org>
+ Brent Dax <brentdax@cpan.org>
+ Brooks D Boyd
+ Brian Callaghan <callagh@itginc.com>
++Brian Carlson <brian.carlson@cpanel.net>
+ Brian Clarke <clarke@appliedmeta.com>
+ brian d foy <brian.d.foy@gmail.com>
+ Brian Fraser <fraserbn@gmail.com>
+diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm
+index 4822027..63e5fba 100644
+--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm
++++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm
+@@ -625,21 +625,9 @@ sub _compile {
+ # 0-length method name means to just interpolate:
+ push @code, ' (';
+ }
+- elsif($m =~ /^\w+(?:\:\:\w+)*$/s
+- and $m !~ m/(?:^|\:)\d/s
+- # exclude starting a (sub)package or symbol with a digit
++ elsif($m =~ /^\w+$/s
++ # exclude anything fancy, especially fully-qualified module names
+ ) {
+- # Yes, it even supports the demented (and undocumented?)
+- # $obj->Foo::bar(...) syntax.
+- $target->_die_pointing(
+- $string_to_compile, q{Can't use "SUPER::" in a bracket-group method},
+- 2 + length($c[-1])
+- )
+- if $m =~ m/^SUPER::/s;
+- # Because for SUPER:: to work, we'd have to compile this into
+- # the right package, and that seems just not worth the bother,
+- # unless someone convinces me otherwise.
+-
+ push @code, ' $_[0]->' . $m . '(';
+ }
+ else {
+@@ -693,7 +681,9 @@ sub _compile {
+ elsif(substr($1,0,1) ne '~') {
+ # it's stuff not containing "~" or "[" or "]"
+ # i.e., a literal blob
+- $c[-1] .= $1;
++ my $text = $1;
++ $text =~ s/\\/\\\\/g;
++ $c[-1] .= $text;
+
+ }
+ elsif($1 eq '~~') { # "~~"
+@@ -731,7 +721,9 @@ sub _compile {
+ else {
+ # It's a "~X" where X is not a special character.
+ # Consider it a literal ~ and X.
+- $c[-1] .= $1;
++ my $text = $1;
++ $text =~ s/\\/\\\\/g;
++ $c[-1] .= $text;
+ }
+ }
+ }
+--
+1.8.3.1
+
--- /dev/null
+From d59e31fc729d8a39a774f03bc6bc457029a7aef2 Mon Sep 17 00:00:00 2001
+From: Yves Orton <demerphq@gmail.com>
+Date: Tue, 12 Feb 2013 10:53:05 +0100
+Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH
+ after hsplit()
+
+Triggering a hsplit due to long chain length allows an attacker
+to create a carefully chosen set of keys which can cause the hash
+to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory
+exhaustion. Doing so also takes non trivial time.
+
+Eliminating this check, and only inspecting chain length after a
+normal hsplit() (triggered when keys>buckets) prevents the attack
+entirely, and makes such attacks relatively benign.
+
+(cherry picked from commit f1220d61455253b170e81427c9d0357831ca0fac)
+
+Upstream-Status: Backport
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+
+---
+ ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++--
+ hv.c | 35 ++++++++---------------------------
+ t/op/hash.t | 20 +++++++++++++++++---
+ 3 files changed, 41 insertions(+), 32 deletions(-)
+
+diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t
+index 2cfb4e8..d58f053 100644
+--- a/ext/Hash-Util-FieldHash/t/10_hash.t
++++ b/ext/Hash-Util-FieldHash/t/10_hash.t
+@@ -38,15 +38,29 @@ use constant START => "a";
+
+ # some initial hash data
+ fieldhash my %h2;
+-%h2 = map {$_ => 1} 'a'..'cc';
++my $counter= "a";
++$h2{$counter++}++ while $counter ne 'cd';
+
+ ok (!Internals::HvREHASH(%h2),
+ "starting with pre-populated non-pathological hash (rehash flag if off)");
+
+ my @keys = get_keys(\%h2);
++my $buckets= buckets(\%h2);
+ $h2{$_}++ for @keys;
++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
+ ok (Internals::HvREHASH(%h2),
+- scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
++
++# returns the number of buckets in a hash
++sub buckets {
++ my $hr = shift;
++ my $keys_buckets= scalar(%$hr);
++ if ($keys_buckets=~m!/([0-9]+)\z!) {
++ return 0+$1;
++ } else {
++ return 8;
++ }
++}
+
+ sub get_keys {
+ my $hr = shift;
+diff --git a/hv.c b/hv.c
+index 2be1feb..abb9d76 100644
+--- a/hv.c
++++ b/hv.c
+@@ -35,7 +35,8 @@ holds the key and hash value.
+ #define PERL_HASH_INTERNAL_ACCESS
+ #include "perl.h"
+
+-#define HV_MAX_LENGTH_BEFORE_SPLIT 14
++#define HV_MAX_LENGTH_BEFORE_REHASH 14
++#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */
+
+ static const char S_strtab_error[]
+ = "Cannot modify shared string table in hv_%s";
+@@ -794,29 +795,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen,
+ if (masked_flags & HVhek_ENABLEHVKFLAGS)
+ HvHASKFLAGS_on(hv);
+
+- {
+- const HE *counter = HeNEXT(entry);
+-
+- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
+- if (!counter) { /* initial entry? */
+- } else if (xhv->xhv_keys > xhv->xhv_max) {
+- /* Use only the old HvKEYS(hv) > HvMAX(hv) condition to limit
+- bucket splits on a rehashed hash, as we're not going to
+- split it again, and if someone is lucky (evil) enough to
+- get all the keys in one list they could exhaust our memory
+- as we repeatedly double the number of buckets on every
+- entry. Linear search feels a less worse thing to do. */
+- hsplit(hv);
+- } else if(!HvREHASH(hv)) {
+- U32 n_links = 1;
+-
+- while ((counter = HeNEXT(counter)))
+- n_links++;
+-
+- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) {
+- hsplit(hv);
+- }
+- }
++ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
++ if ( SHOULD_DO_HSPLIT(xhv) ) {
++ hsplit(hv);
+ }
+
+ if (return_svp) {
+@@ -1192,7 +1173,7 @@ S_hsplit(pTHX_ HV *hv)
+
+
+ /* Pick your policy for "hashing isn't working" here: */
+- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */
++ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */
+ || HvREHASH(hv)) {
+ return;
+ }
+@@ -2831,8 +2812,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags)
+
+ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
+ if (!next) { /* initial entry? */
+- } else if (xhv->xhv_keys > xhv->xhv_max /* HvKEYS(hv) > HvMAX(hv) */) {
+- hsplit(PL_strtab);
++ } else if ( SHOULD_DO_HSPLIT(xhv) ) {
++ hsplit(PL_strtab);
+ }
+ }
+
+diff --git a/t/op/hash.t b/t/op/hash.t
+index 278bea7..201260a 100644
+--- a/t/op/hash.t
++++ b/t/op/hash.t
+@@ -39,22 +39,36 @@ use constant THRESHOLD => 14;
+ use constant START => "a";
+
+ # some initial hash data
+-my %h2 = map {$_ => 1} 'a'..'cc';
++my %h2;
++my $counter= "a";
++$h2{$counter++}++ while $counter ne 'cd';
+
+ ok (!Internals::HvREHASH(%h2),
+ "starting with pre-populated non-pathological hash (rehash flag if off)");
+
+ my @keys = get_keys(\%h2);
++my $buckets= buckets(\%h2);
+ $h2{$_}++ for @keys;
++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
+ ok (Internals::HvREHASH(%h2),
+- scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
++
++# returns the number of buckets in a hash
++sub buckets {
++ my $hr = shift;
++ my $keys_buckets= scalar(%$hr);
++ if ($keys_buckets=~m!/([0-9]+)\z!) {
++ return 0+$1;
++ } else {
++ return 8;
++ }
++}
+
+ sub get_keys {
+ my $hr = shift;
+
+ # the minimum of bits required to mount the attack on a hash
+ my $min_bits = log(THRESHOLD)/log(2);
+-
+ # if the hash has already been populated with a significant amount
+ # of entries the number of mask bits can be higher
+ my $keys = scalar keys %$hr;
+--
+1.8.3.1
+
projects / scm / bb / tizen-distro.git / commitdiff