[Perl/perl5] 704791: Fix read/write past buffer end: perl-security#140
Branch: refs/heads/maint-5.36
Home: https://github.com/Perl/perl5
Commit: 7047915eef37fccd93e7cd985c29fe6be54650b6
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
Author: Karl Williamson
Date: 2023-10-19 (Thu, 19 Oct 2023)
Changed paths:
M regcomp.c
M t/re/pat_advanced.t
Log Message:
---
Fix read/write past buffer end: perl-security#140
A package name may be specified in a \p{...} regular expression
construct. If unspecified, "utf8::" is assumed, which is the package
all official Unicode properties are in. By specifying a different
package, one can create a user-defined property with the same
unqualified name as a Unicode one. Such a property is defined by a sub
whose name begins with "Is" or "In", and if the sub wishes to refer to
an official Unicode property, it must explicitly specify the "utf8::".
S_parse_uniprop_string() is used to parse the interior of both \p{} and
the user-defined sub lines.
In S_parse_uniprop_string(), it parses the input "name" parameter,
creating a modified copy, "lookup_name", malloc'ed with the same size as
"name". The modifications are essentially to create a canonicalized
version of the input, with such things as extraneous white-space
stripped off. I found it convenient to strip off the package specifier
"utf8::". To to so, the code simply pretends "lookup_name" begins just
after the "utf8::", and adjusts various other values to compensate.
However, it missed the adjustment of one required one.
This is only a problem when the property name begins with "perl" and
isn't "perlspace" nor "perlword". All such ones are undocumented
internal properties.
What happens in this case is that the input is reparsed with slightly
different rules in effect as to what is legal versus illegal. The
problem is that "lookup_name" no longer is pointing to its initial
value, but "name" is. Thus the space allocated for filling "lookup_name"
is now shorter than "name", and as this shortened "lookup_name" is
filled by copying suitable portions of "name", the write can be to
unallocated space.
The solution is to skip the "utf8::" when reparsing "name". Then both
"lookup_name" and "name" are effectively shortened by the same amount,
and there is no going off the end.
This commit also does white-space adjustment so that things align
vertically for readability.
This can be easily backported to earlier Perl releases.
Commit: 17473140d05a805fe184e5cf4c2f5829d7d86b8e
https://github.com/Perl/perl5/commit/17473140d05a805fe184e5cf4c2f5829d7d86b8e
Author: Tony Cook
Date: 2023-11-01 (Wed, 01 Nov 2023)
Changed paths:
M t/win32/system.t
M win32/win32.c
Log Message:
---
win32: default the shell to cmd.exe in the Windows system directory
This prevents picking up cmd.exe from the current directory, or
even from the PATH.
This protects against a privilege escalation attack where an attacker
in a separate session creates a cmd.exe in a directory where the
target account happens to have its current directory.
Commit: e7964d405267bf76f748f0791b9590a1e379c3df
https://github.com/Perl/perl5/commit/e7964d405267bf76f748f0791b9590a1e379c3df
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M pod/perldelta.pod
Log Message:
---
Add perldelta notes for the two security bug fixes
Commit: bb5d5efbff6161f0139073d5a7ace094bc4cca89
https://github.com/Perl/perl5/commit/bb5d5efbff6161f0139073d5a7ace094bc4cca89
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M Cross/config.sh-arm-linux
M Cross/config.sh-arm-linux-n770
M INSTALL
M META.json
M META.yml
M Porting/config.sh
M Porting/config_H
M Porting/make-rmg-checklist
M Porting/perldelta_template.pod
M Porting/todo.pod
M README.haiku
M README.macosx
M README.os2
M README.vms
M hints/catamount.sh
M lib/B/Op_private.pm
M patchlevel.h
M plan9/config_sh.sample
M win32/GNUmakefile
M win32/Makefile
Log Message:
---
Bump the perl version in various places for 5.36.2
Commit: e4792cbec2ad616f58c8316dcb0f3614f5491f2b
https://github.com/Perl/perl5/commit/e4792cbec2ad616f58c8316dcb0f3614f5491f2b
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M .mailmap
Log Message:
---
Update .mailmap for 5.36.2
Commit: a252809ed1a4dcce0f44b598e243106af3b2d298
https://github.com/Perl/perl5/commit/a252809ed1a4dcce0f44b598e243106af3b2d298
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M dist/Module-CoreList/Changes
M dist/Module-CoreList/lib/Module/CoreList.pm
M dist/Module-CoreList/lib/Module/CoreList/Utils.pm
Log Message:
---
Import Module::CoreList v5.20231125 from blead
Commit:
[Perl/perl5] 704791: Fix read/write past buffer end: perl-security#140
Branch: refs/tags/v5.36.2
Home: https://github.com/Perl/perl5
Commit: 7047915eef37fccd93e7cd985c29fe6be54650b6
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
Author: Karl Williamson
Date: 2023-10-19 (Thu, 19 Oct 2023)
Changed paths:
M regcomp.c
M t/re/pat_advanced.t
Log Message:
---
Fix read/write past buffer end: perl-security#140
A package name may be specified in a \p{...} regular expression
construct. If unspecified, "utf8::" is assumed, which is the package
all official Unicode properties are in. By specifying a different
package, one can create a user-defined property with the same
unqualified name as a Unicode one. Such a property is defined by a sub
whose name begins with "Is" or "In", and if the sub wishes to refer to
an official Unicode property, it must explicitly specify the "utf8::".
S_parse_uniprop_string() is used to parse the interior of both \p{} and
the user-defined sub lines.
In S_parse_uniprop_string(), it parses the input "name" parameter,
creating a modified copy, "lookup_name", malloc'ed with the same size as
"name". The modifications are essentially to create a canonicalized
version of the input, with such things as extraneous white-space
stripped off. I found it convenient to strip off the package specifier
"utf8::". To to so, the code simply pretends "lookup_name" begins just
after the "utf8::", and adjusts various other values to compensate.
However, it missed the adjustment of one required one.
This is only a problem when the property name begins with "perl" and
isn't "perlspace" nor "perlword". All such ones are undocumented
internal properties.
What happens in this case is that the input is reparsed with slightly
different rules in effect as to what is legal versus illegal. The
problem is that "lookup_name" no longer is pointing to its initial
value, but "name" is. Thus the space allocated for filling "lookup_name"
is now shorter than "name", and as this shortened "lookup_name" is
filled by copying suitable portions of "name", the write can be to
unallocated space.
The solution is to skip the "utf8::" when reparsing "name". Then both
"lookup_name" and "name" are effectively shortened by the same amount,
and there is no going off the end.
This commit also does white-space adjustment so that things align
vertically for readability.
This can be easily backported to earlier Perl releases.
Commit: 17473140d05a805fe184e5cf4c2f5829d7d86b8e
https://github.com/Perl/perl5/commit/17473140d05a805fe184e5cf4c2f5829d7d86b8e
Author: Tony Cook
Date: 2023-11-01 (Wed, 01 Nov 2023)
Changed paths:
M t/win32/system.t
M win32/win32.c
Log Message:
---
win32: default the shell to cmd.exe in the Windows system directory
This prevents picking up cmd.exe from the current directory, or
even from the PATH.
This protects against a privilege escalation attack where an attacker
in a separate session creates a cmd.exe in a directory where the
target account happens to have its current directory.
Commit: e7964d405267bf76f748f0791b9590a1e379c3df
https://github.com/Perl/perl5/commit/e7964d405267bf76f748f0791b9590a1e379c3df
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M pod/perldelta.pod
Log Message:
---
Add perldelta notes for the two security bug fixes
Commit: bb5d5efbff6161f0139073d5a7ace094bc4cca89
https://github.com/Perl/perl5/commit/bb5d5efbff6161f0139073d5a7ace094bc4cca89
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M Cross/config.sh-arm-linux
M Cross/config.sh-arm-linux-n770
M INSTALL
M META.json
M META.yml
M Porting/config.sh
M Porting/config_H
M Porting/make-rmg-checklist
M Porting/perldelta_template.pod
M Porting/todo.pod
M README.haiku
M README.macosx
M README.os2
M README.vms
M hints/catamount.sh
M lib/B/Op_private.pm
M patchlevel.h
M plan9/config_sh.sample
M win32/GNUmakefile
M win32/Makefile
Log Message:
---
Bump the perl version in various places for 5.36.2
Commit: e4792cbec2ad616f58c8316dcb0f3614f5491f2b
https://github.com/Perl/perl5/commit/e4792cbec2ad616f58c8316dcb0f3614f5491f2b
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M .mailmap
Log Message:
---
Update .mailmap for 5.36.2
Commit: a252809ed1a4dcce0f44b598e243106af3b2d298
https://github.com/Perl/perl5/commit/a252809ed1a4dcce0f44b598e243106af3b2d298
Author: Paul "LeoNerd" Evans
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
M dist/Module-CoreList/Changes
M dist/Module-CoreList/lib/Module/CoreList.pm
M dist/Module-CoreList/lib/Module/CoreList/Utils.pm
Log Message:
---
Import Module::CoreList v5.20231125 from blead
Commit:
