Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package perl. Changes: perl (5.14.2-17) unstable; urgency=low . * Fix a double-free bug in Digest::SHA. (Closes: #698174) + update the Breaks: entry accordingly. * Avoid wraparound when casting unsigned size_t to signed ssize_t. (Closes: #698320) The first bugfix was already unblocked for the separate libdigest-sha-perl package, so it makes sense to get it fixed in perl too. The other fix was pre-approved by Adam. Please note that the debian/t/ change is in a maintainer test that is not run during the build. debian/changelog | 9 + debian/control | 2 debian/patches/fixes/64bitint-signedness-wraparound.diff | 56 ++++++++++++ debian/patches/fixes/digest-sha-doublefree.diff | 69 +++++++++++++++ debian/patches/series | 2 debian/t/control.t | 3 6 files changed, 140 insertions(+), 1 deletion(-) unblock perl/5.14.2-17 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru perl-5.14.2/debian/changelog perl-5.14.2/debian/changelog --- perl-5.14.2/debian/changelog 2012-12-10 14:49:33.000000000 +0200 +++ perl-5.14.2/debian/changelog 2013-01-26 19:30:14.000000000 +0200 @@ -1,3 +1,12 @@ +perl (5.14.2-17) unstable; urgency=low + + * Fix a double-free bug in Digest::SHA. (Closes: #698174) + + update the Breaks: entry accordingly. + * Avoid wraparound when casting unsigned size_t to signed ssize_t. + (Closes: #698320) + + -- Niko Tyni <nt...@debian.org> Fri, 25 Jan 2013 15:22:58 +0200 + perl (5.14.2-16) unstable; urgency=medium * [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p diff -Nru perl-5.14.2/debian/control perl-5.14.2/debian/control --- perl-5.14.2/debian/control 2012-12-10 14:49:33.000000000 +0200 +++ perl-5.14.2/debian/control 2013-01-25 15:18:21.000000000 +0200 @@ -282,7 +282,7 @@ libmime-base64-perl (<< 3.13), libtime-hires-perl (<< 1.9721.01), libstorable-perl (<< 2.27), - libdigest-sha-perl (<< 5.61), + libdigest-sha-perl (<< 5.71-2), libsys-syslog-perl (<< 0.27), libcompress-zlib-perl (<< 2.033), libcompress-raw-zlib-perl (<< 2.033), diff -Nru perl-5.14.2/debian/patches/fixes/64bitint-signedness-wraparound.diff perl-5.14.2/debian/patches/fixes/64bitint-signedness-wraparound.diff --- perl-5.14.2/debian/patches/fixes/64bitint-signedness-wraparound.diff 1970-01-01 02:00:00.000000000 +0200 +++ perl-5.14.2/debian/patches/fixes/64bitint-signedness-wraparound.diff 2013-01-25 15:18:22.000000000 +0200 @@ -0,0 +1,56 @@ +From e36d65ba661bd0f9c9ae741c8f18d2e08682e97a Mon Sep 17 00:00:00 2001 +From: Andy Dougherty <dough...@lafayette.edu> +Date: Wed, 16 Jan 2013 12:30:43 -0500 +Subject: Avoid wraparound when casting unsigned size_t to signed ssize_t. + +Practically, this only affects a perl compiled with 64-bit IVs on a 32-bit +system. In that instance a value of count >= 2**31 would turn negative +when cast to (ssize_t). + +Origin: upstream, http://perl5.git.perl.org/perl.git/commit/94e529cc4d56863d7272c254a29eda2b002a4335 +Bug-Debian: http://bugs.debian.org/698320 +Patch-Name: fixes/64bitint-signedness-wraparound.diff +--- + perlio.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/perlio.c b/perlio.c +index e42a78f..6c40e34 100644 +--- a/perlio.c ++++ b/perlio.c +@@ -2192,7 +2192,7 @@ PerlIOBase_read(pTHX_ PerlIO *f, void *vbuf, Size_t count) + SSize_t avail = PerlIO_get_cnt(f); + SSize_t take = 0; + if (avail > 0) +- take = ((SSize_t)count < avail) ? (SSize_t)count : avail; ++ take = (((SSize_t) count >= 0) && ((SSize_t)count < avail)) ? (SSize_t)count : avail; + if (take > 0) { + STDCHAR *ptr = PerlIO_get_ptr(f); + Copy(ptr, buf, take, STDCHAR); +@@ -4125,7 +4125,7 @@ PerlIOBuf_unread(pTHX_ PerlIO *f, const void *vbuf, Size_t count) + */ + b->posn -= b->bufsiz; + } +- if (avail > (SSize_t) count) { ++ if ((SSize_t) count >= 0 && avail > (SSize_t) count) { + /* + * If we have space for more than count, just move count + */ +@@ -4175,7 +4175,7 @@ PerlIOBuf_write(pTHX_ PerlIO *f, const void *vbuf, Size_t count) + } + while (count > 0) { + SSize_t avail = b->bufsiz - (b->ptr - b->buf); +- if ((SSize_t) count < avail) ++ if ((SSize_t) count >= 0 && (SSize_t) count < avail) + avail = count; + if (flushptr > buf && flushptr <= buf + avail) + avail = flushptr - buf; +@@ -4450,7 +4450,7 @@ PerlIOPending_read(pTHX_ PerlIO *f, void *vbuf, Size_t count) + { + SSize_t avail = PerlIO_get_cnt(f); + SSize_t got = 0; +- if ((SSize_t)count < avail) ++ if ((SSize_t) count >= 0 && (SSize_t)count < avail) + avail = count; + if (avail > 0) + got = PerlIOBuf_read(aTHX_ f, vbuf, avail); diff -Nru perl-5.14.2/debian/patches/fixes/digest-sha-doublefree.diff perl-5.14.2/debian/patches/fixes/digest-sha-doublefree.diff --- perl-5.14.2/debian/patches/fixes/digest-sha-doublefree.diff 1970-01-01 02:00:00.000000000 +0200 +++ perl-5.14.2/debian/patches/fixes/digest-sha-doublefree.diff 2013-01-25 15:18:21.000000000 +0200 @@ -0,0 +1,69 @@ +From d2d9e1560afaeb402dda69eba1d6e808d80c0c96 Mon Sep 17 00:00:00 2001 +From: Niko Tyni <nt...@debian.org> +Date: Fri, 25 Jan 2013 15:00:00 +0200 +Subject: Fix a double-free bug in Digest::SHA + +Fix double-free when loading Digest::SHA object representing the +intermediate SHA state from a file. + +Origin: upstream, http://perl5.git.perl.org/perl.git/commit/a8c6ff7b8e8c6037333c21f9b3f6b38b9278df4f +Origin: upstream, https://metacpan.org/diff/release/MSHELOR/Digest-SHA-5.80/MSHELOR/Digest-SHA-5.81 +Bug-Debian: http://bugs.debian.org/698172 +Bug: https://rt.cpan.org/Ticket/Display.html?id=82655 +Patch-Name: fixes/digest-sha-doublefree.diff +--- + cpan/Digest-SHA/lib/Digest/SHA.pm | 11 +++++++---- + cpan/Digest-SHA/src/sha.c | 2 +- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/cpan/Digest-SHA/lib/Digest/SHA.pm b/cpan/Digest-SHA/lib/Digest/SHA.pm +index f809ce3..8cea302 100644 +--- a/cpan/Digest-SHA/lib/Digest/SHA.pm ++++ b/cpan/Digest-SHA/lib/Digest/SHA.pm +@@ -53,7 +53,7 @@ sub new { + return($class); + } + shaclose($$class) if $$class; +- $$class = shaopen($alg) || return; ++ return unless $$class = shaopen($alg); + return($class); + } + $alg = 1 unless defined $alg; +@@ -153,18 +153,21 @@ sub Addfile { + + sub dump { + my $self = shift; +- my $file = shift || ""; ++ my $file = shift; + ++ $file = "" unless defined $file; + shadump($file, $$self) || return; + return($self); + } + + sub load { + my $class = shift; +- my $file = shift || ""; ++ my $file = shift; ++ ++ $file = "" unless defined $file; + if (ref($class)) { # instance method + shaclose($$class) if $$class; +- $$class = shaload($file) || return; ++ return unless $$class = shaload($file); + return($class); + } + my $state = shaload($file) || return; +diff --git a/cpan/Digest-SHA/src/sha.c b/cpan/Digest-SHA/src/sha.c +index 20f2d71..f512437 100644 +--- a/cpan/Digest-SHA/src/sha.c ++++ b/cpan/Digest-SHA/src/sha.c +@@ -272,7 +272,7 @@ void sharewind(SHA *s) + /* shaopen: creates a new digest object */ + SHA *shaopen(int alg) + { +- SHA *s; ++ SHA *s = NULL; + + if (alg != SHA1 && alg != SHA224 && alg != SHA256 && + alg != SHA384 && alg != SHA512 && diff -Nru perl-5.14.2/debian/patches/series perl-5.14.2/debian/patches/series --- perl-5.14.2/debian/patches/series 2012-12-10 14:49:34.000000000 +0200 +++ perl-5.14.2/debian/patches/series 2013-01-25 15:18:22.000000000 +0200 @@ -73,3 +73,5 @@ fixes/cgi-cr-escaping.diff fixes/maketext-code-execution.diff fixes/storable-security-warning.diff +fixes/digest-sha-doublefree.diff +fixes/64bitint-signedness-wraparound.diff diff -Nru perl-5.14.2/debian/t/control.t perl-5.14.2/debian/t/control.t --- perl-5.14.2/debian/t/control.t 2012-12-10 14:49:34.000000000 +0200 +++ perl-5.14.2/debian/t/control.t 2013-01-25 15:18:21.000000000 +0200 @@ -46,6 +46,9 @@ "libautodie-perl" => { "2.1001" => "2.10.01", }, + "libdigest-sha-perl" => { + "5.61" => "5.71", + }, ); # list special cases where a Breaks entry doesn't need to imply