ppisar pushed to perl-CBOR-XS (f24). "Fix an out-of-bound access and an indefinite array of hash decoding"

notifications Tue, 27 Jun 2017 05:53:26 -0700

From 894a4fe285c9d1e7c3502d2125a7c685d9c0990b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Tue, 27 Jun 2017 14:51:32 +0200
Subject: Fix an out-of-bound access and an indefinite array of hash decoding


---
 ...-fix-two-bugs-found-by-american-fuzzy-lop.patch | 67 ++++++++++++++++++++++
 perl-CBOR-XS.spec                                  |  9 ++-
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch

diff --git a/CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch 
b/CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch
new file mode 100644
index 0000000..4866857
--- /dev/null
+++ b/CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch
@@ -0,0 +1,67 @@
+From 4eecb9969aef6dca9b87354810623aa0e3b5c7c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
+Date: Tue, 27 Jun 2017 14:49:16 +0200
+Subject: [PATCH] fix two bugs found by american fuzzy lop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported from 1.7:
+
+1.7  Tue Jun 27 04:02:23 CEST 2017
+       - SECURITY FIX: fix two bugs found by american fuzzy lop,
+          upgrade is advised if you accept data from untrusted
+          sources.
+        - an out-of bound sharedref or stringref index could cause an
+          out of bounds access - might be exploitable.
+        - a decoding error during indefinite array or hash decoding
+          could cause an endless loop.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ XS.xs | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/XS.xs b/XS.xs
+index 56223bd..46afb8d 100644
+--- a/XS.xs
++++ b/XS.xs
+@@ -713,7 +713,7 @@ decode_av (dec_t *dec)
+         {
+           WANT (1);
+ 
+-          if (*dec->cur == (MAJOR_MISC | MINOR_INDEF))
++          if (*dec->cur == (MAJOR_MISC | MINOR_INDEF) || dec->err)
+             {
+               ++dec->cur;
+               break;
+@@ -803,7 +803,7 @@ decode_hv (dec_t *dec)
+         {
+           WANT (1);
+ 
+-          if (*dec->cur == (MAJOR_MISC | MINOR_INDEF))
++          if (*dec->cur == (MAJOR_MISC | MINOR_INDEF) || dec->err)
+             {
+               ++dec->cur;
+               break;
+@@ -930,7 +930,7 @@ decode_tagged (dec_t *dec)
+ 
+           UV idx = decode_uint (dec);
+ 
+-          if (!dec->stringref || (int)idx > AvFILLp (dec->stringref))
++          if (!dec->stringref || idx >= (UV) (1 + AvFILLp (dec->stringref)))
+             ERR ("corrupted CBOR data (stringref index out of bounds or 
outside namespace)");
+ 
+           sv = newSVsv (AvARRAY (dec->stringref)[idx]);
+@@ -968,7 +968,7 @@ decode_tagged (dec_t *dec)
+ 
+           UV idx = decode_uint (dec);
+ 
+-          if (!dec->shareable || (int)idx > AvFILLp (dec->shareable))
++          if (!dec->shareable || idx >= (UV)(1+ AvFILLp (dec->shareable)))
+             ERR ("corrupted CBOR data (sharedref index out of bounds)");
+ 
+           sv = SvREFCNT_inc_NN (AvARRAY (dec->shareable)[idx]);
+-- 
+2.9.4
+
diff --git a/perl-CBOR-XS.spec b/perl-CBOR-XS.spec
index 9115d81..f63dee2 100644
--- a/perl-CBOR-XS.spec
+++ b/perl-CBOR-XS.spec
@@ -1,7 +1,7 @@
 %global cpan_version 1.41
 Name:           perl-CBOR-XS
 Version:        %(echo %{cpan_version} | sed 's/\(\..\)\(.\)/\1.\2/')
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Concise Binary Object Representation (CBOR)
 # COPYING:      GPLv3+
 ## Replaced by system header-only package
@@ -14,6 +14,9 @@ Source0:        
http://www.cpan.org/authors/id/M/ML/MLEHMANN/CBOR-XS-%{cpan_vers
 Patch0:         CBOR-XS-1.3-Include-ecb.h-from-system.patch
 # Silent compiler warnings
 Patch1:         CBOR-XS-1.41-Cast-char-and-U8-where-needed.patch
+# Fix an out-of-bound access and an indefinite array of hash decoding,
+# in upstream 1.7
+Patch2:         CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch
 BuildRequires:  coreutils
 BuildRequires:  findutils
 # gcc for standard header files
@@ -51,6 +54,7 @@ represent it in CBOR.
 %setup -q -n CBOR-XS-%{cpan_version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 # Remove bundled libecb
 rm ecb.h
 sed -i -e '/^ecb\.h/d' MANIFEST
@@ -76,6 +80,9 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Tue Jun 27 2017 Petr Pisar <ppi...@redhat.com> - 1.4.1-2
+- Fix an out-of-bound access and an indefinite array of hash decoding
+
 * Mon Feb 29 2016 Petr Pisar <ppi...@redhat.com> - 1.4.1-1
 - 1.41 bump
 
-- 
cgit v1.1


        
https://src.fedoraproject.org/cgit/perl-CBOR-XS.git/commit/?h=f24&id=894a4fe285c9d1e7c3502d2125a7c685d9c0990b
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org

ppisar pushed to perl-CBOR-XS (f24). "Fix an out-of-bound access and an indefinite array of hash decoding"

Reply via email to