[Perl/perl5] 92a9eb: Fix read/write past buffer end: perl-security#140
Branch: refs/heads/maint-5.38 Home: https://github.com/Perl/perl5 Commit: 92a9eb3d0d52ec7655c1beb2a5a5219be664 https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb2a5a5219be664 Author: Karl Williamson Date: 2023-10-20 (Fri, 20 Oct 2023) Changed paths: M regcomp.c M t/re/pat_advanced.t Log Message: --- Fix read/write past buffer end: perl-security#140 A package name may be specified in a \p{...} regular expression construct. If unspecified, "utf8::" is assumed, which is the package all official Unicode properties are in. By specifying a different package, one can create a user-defined property with the same unqualified name as a Unicode one. Such a property is defined by a sub whose name begins with "Is" or "In", and if the sub wishes to refer to an official Unicode property, it must explicitly specify the "utf8::". S_parse_uniprop_string() is used to parse the interior of both \p{} and the user-defined sub lines. In S_parse_uniprop_string(), it parses the input "name" parameter, creating a modified copy, "lookup_name", malloc'ed with the same size as "name". The modifications are essentially to create a canonicalized version of the input, with such things as extraneous white-space stripped off. I found it convenient to strip off the package specifier "utf8::". To to so, the code simply pretends "lookup_name" begins just after the "utf8::", and adjusts various other values to compensate. However, it missed the adjustment of one required one. This is only a problem when the property name begins with "perl" and isn't "perlspace" nor "perlword". All such ones are undocumented internal properties. What happens in this case is that the input is reparsed with slightly different rules in effect as to what is legal versus illegal. The problem is that "lookup_name" no longer is pointing to its initial value, but "name" is. Thus the space allocated for filling "lookup_name" is now shorter than "name", and as this shortened "lookup_name" is filled by copying suitable portions of "name", the write can be to unallocated space. The solution is to skip the "utf8::" when reparsing "name". Then both "lookup_name" and "name" are effectively shortened by the same amount, and there is no going off the end. This commit also does white-space adjustment so that things align vertically for readability. This can be easily backported to earlier Perl releases. Commit: 8b943e377b1541a72513bb824d45603ab9a7fc97 https://github.com/Perl/perl5/commit/8b943e377b1541a72513bb824d45603ab9a7fc97 Author: Tony Cook Date: 2023-11-01 (Wed, 01 Nov 2023) Changed paths: M t/win32/system.t M win32/win32.c Log Message: --- win32: default the shell to cmd.exe in the Windows system directory This prevents picking up cmd.exe from the current directory, or even from the PATH. This protects against a privilege escalation attack where an attacker in a separate session creates a cmd.exe in a directory where the target account happens to have its current directory. Commit: 2eead8d6a0be02a592cfd41e7f124d2b10154267 https://github.com/Perl/perl5/commit/2eead8d6a0be02a592cfd41e7f124d2b10154267 Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M MANIFEST M Makefile.SH M pod/.gitignore A pod/perl5380delta.pod M pod/perldelta.pod M vms/descrip_mms.template M win32/GNUmakefile M win32/Makefile M win32/pod.mak Log Message: --- Create new perldelta for 5.38.1 Needed to manually edit win32/pod.mak to make sure it didn't lose the entries for perl5380delta.pod Commit: 2d00bc45c5a0a53e522a6b986b0e343097e4696c https://github.com/Perl/perl5/commit/2d00bc45c5a0a53e522a6b986b0e343097e4696c Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M pod/perldelta.pod Log Message: --- Add perldelta notes for the two security bug fixes Commit: 391f9c6a1545a5e2f3d602a384cd5f7e3ae50d78 https://github.com/Perl/perl5/commit/391f9c6a1545a5e2f3d602a384cd5f7e3ae50d78 Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M Cross/config.sh-arm-linux M Cross/config.sh-arm-linux-n770 M INSTALL M META.json M META.yml M Porting/config.sh M Porting/config_H M Porting/sync-with-cpan M README.haiku M README.macosx M README.os2 M README.vms M hints/catamount.sh M lib/B/Op_private.pm M patchlevel.h M plan9/config_sh.sample M win32/GNUmakefile M win32/Makefile Log Message: --- Bump the perl version in various places for 5.38.1 Commit: d7765ca484d1eac2afa4f6156d2f3df077a6e3ed https://github.com/Perl/perl5/commit/d7765ca484d1eac2afa4f6156d2f3df077a6e3ed Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M pod/perl.pod Log
[Perl/perl5] 92a9eb: Fix read/write past buffer end: perl-security#140
Branch: refs/tags/v5.38.1 Home: https://github.com/Perl/perl5 Commit: 92a9eb3d0d52ec7655c1beb2a5a5219be664 https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb2a5a5219be664 Author: Karl Williamson Date: 2023-10-20 (Fri, 20 Oct 2023) Changed paths: M regcomp.c M t/re/pat_advanced.t Log Message: --- Fix read/write past buffer end: perl-security#140 A package name may be specified in a \p{...} regular expression construct. If unspecified, "utf8::" is assumed, which is the package all official Unicode properties are in. By specifying a different package, one can create a user-defined property with the same unqualified name as a Unicode one. Such a property is defined by a sub whose name begins with "Is" or "In", and if the sub wishes to refer to an official Unicode property, it must explicitly specify the "utf8::". S_parse_uniprop_string() is used to parse the interior of both \p{} and the user-defined sub lines. In S_parse_uniprop_string(), it parses the input "name" parameter, creating a modified copy, "lookup_name", malloc'ed with the same size as "name". The modifications are essentially to create a canonicalized version of the input, with such things as extraneous white-space stripped off. I found it convenient to strip off the package specifier "utf8::". To to so, the code simply pretends "lookup_name" begins just after the "utf8::", and adjusts various other values to compensate. However, it missed the adjustment of one required one. This is only a problem when the property name begins with "perl" and isn't "perlspace" nor "perlword". All such ones are undocumented internal properties. What happens in this case is that the input is reparsed with slightly different rules in effect as to what is legal versus illegal. The problem is that "lookup_name" no longer is pointing to its initial value, but "name" is. Thus the space allocated for filling "lookup_name" is now shorter than "name", and as this shortened "lookup_name" is filled by copying suitable portions of "name", the write can be to unallocated space. The solution is to skip the "utf8::" when reparsing "name". Then both "lookup_name" and "name" are effectively shortened by the same amount, and there is no going off the end. This commit also does white-space adjustment so that things align vertically for readability. This can be easily backported to earlier Perl releases. Commit: 8b943e377b1541a72513bb824d45603ab9a7fc97 https://github.com/Perl/perl5/commit/8b943e377b1541a72513bb824d45603ab9a7fc97 Author: Tony Cook Date: 2023-11-01 (Wed, 01 Nov 2023) Changed paths: M t/win32/system.t M win32/win32.c Log Message: --- win32: default the shell to cmd.exe in the Windows system directory This prevents picking up cmd.exe from the current directory, or even from the PATH. This protects against a privilege escalation attack where an attacker in a separate session creates a cmd.exe in a directory where the target account happens to have its current directory. Commit: 2eead8d6a0be02a592cfd41e7f124d2b10154267 https://github.com/Perl/perl5/commit/2eead8d6a0be02a592cfd41e7f124d2b10154267 Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M MANIFEST M Makefile.SH M pod/.gitignore A pod/perl5380delta.pod M pod/perldelta.pod M vms/descrip_mms.template M win32/GNUmakefile M win32/Makefile M win32/pod.mak Log Message: --- Create new perldelta for 5.38.1 Needed to manually edit win32/pod.mak to make sure it didn't lose the entries for perl5380delta.pod Commit: 2d00bc45c5a0a53e522a6b986b0e343097e4696c https://github.com/Perl/perl5/commit/2d00bc45c5a0a53e522a6b986b0e343097e4696c Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M pod/perldelta.pod Log Message: --- Add perldelta notes for the two security bug fixes Commit: 391f9c6a1545a5e2f3d602a384cd5f7e3ae50d78 https://github.com/Perl/perl5/commit/391f9c6a1545a5e2f3d602a384cd5f7e3ae50d78 Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M Cross/config.sh-arm-linux M Cross/config.sh-arm-linux-n770 M INSTALL M META.json M META.yml M Porting/config.sh M Porting/config_H M Porting/sync-with-cpan M README.haiku M README.macosx M README.os2 M README.vms M hints/catamount.sh M lib/B/Op_private.pm M patchlevel.h M plan9/config_sh.sample M win32/GNUmakefile M win32/Makefile Log Message: --- Bump the perl version in various places for 5.38.1 Commit: d7765ca484d1eac2afa4f6156d2f3df077a6e3ed https://github.com/Perl/perl5/commit/d7765ca484d1eac2afa4f6156d2f3df077a6e3ed Author: Paul "LeoNerd" Evans Date: 2023-11-21 (Tue, 21 Nov 2023) Changed paths: M pod/perl.pod Log Message: