From 894a4fe285c9d1e7c3502d2125a7c685d9c0990b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> Date: Tue, 27 Jun 2017 14:51:32 +0200 Subject: Fix an out-of-bound access and an indefinite array of hash decoding
--- ...-fix-two-bugs-found-by-american-fuzzy-lop.patch | 67 ++++++++++++++++++++++ perl-CBOR-XS.spec | 9 ++- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch diff --git a/CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch b/CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch new file mode 100644 index 0000000..4866857 --- /dev/null +++ b/CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch @@ -0,0 +1,67 @@ +From 4eecb9969aef6dca9b87354810623aa0e3b5c7c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> +Date: Tue, 27 Jun 2017 14:49:16 +0200 +Subject: [PATCH] fix two bugs found by american fuzzy lop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported from 1.7: + +1.7 Tue Jun 27 04:02:23 CEST 2017 + - SECURITY FIX: fix two bugs found by american fuzzy lop, + upgrade is advised if you accept data from untrusted + sources. + - an out-of bound sharedref or stringref index could cause an + out of bounds access - might be exploitable. + - a decoding error during indefinite array or hash decoding + could cause an endless loop. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + XS.xs | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/XS.xs b/XS.xs +index 56223bd..46afb8d 100644 +--- a/XS.xs ++++ b/XS.xs +@@ -713,7 +713,7 @@ decode_av (dec_t *dec) + { + WANT (1); + +- if (*dec->cur == (MAJOR_MISC | MINOR_INDEF)) ++ if (*dec->cur == (MAJOR_MISC | MINOR_INDEF) || dec->err) + { + ++dec->cur; + break; +@@ -803,7 +803,7 @@ decode_hv (dec_t *dec) + { + WANT (1); + +- if (*dec->cur == (MAJOR_MISC | MINOR_INDEF)) ++ if (*dec->cur == (MAJOR_MISC | MINOR_INDEF) || dec->err) + { + ++dec->cur; + break; +@@ -930,7 +930,7 @@ decode_tagged (dec_t *dec) + + UV idx = decode_uint (dec); + +- if (!dec->stringref || (int)idx > AvFILLp (dec->stringref)) ++ if (!dec->stringref || idx >= (UV) (1 + AvFILLp (dec->stringref))) + ERR ("corrupted CBOR data (stringref index out of bounds or outside namespace)"); + + sv = newSVsv (AvARRAY (dec->stringref)[idx]); +@@ -968,7 +968,7 @@ decode_tagged (dec_t *dec) + + UV idx = decode_uint (dec); + +- if (!dec->shareable || (int)idx > AvFILLp (dec->shareable)) ++ if (!dec->shareable || idx >= (UV)(1+ AvFILLp (dec->shareable))) + ERR ("corrupted CBOR data (sharedref index out of bounds)"); + + sv = SvREFCNT_inc_NN (AvARRAY (dec->shareable)[idx]); +-- +2.9.4 + diff --git a/perl-CBOR-XS.spec b/perl-CBOR-XS.spec index 9115d81..f63dee2 100644 --- a/perl-CBOR-XS.spec +++ b/perl-CBOR-XS.spec @@ -1,7 +1,7 @@ %global cpan_version 1.41 Name: perl-CBOR-XS Version: %(echo %{cpan_version} | sed 's/\(\..\)\(.\)/\1.\2/') -Release: 1%{?dist} +Release: 2%{?dist} Summary: Concise Binary Object Representation (CBOR) # COPYING: GPLv3+ ## Replaced by system header-only package @@ -14,6 +14,9 @@ Source0: http://www.cpan.org/authors/id/M/ML/MLEHMANN/CBOR-XS-%{cpan_vers Patch0: CBOR-XS-1.3-Include-ecb.h-from-system.patch # Silent compiler warnings Patch1: CBOR-XS-1.41-Cast-char-and-U8-where-needed.patch +# Fix an out-of-bound access and an indefinite array of hash decoding, +# in upstream 1.7 +Patch2: CBOR-XS-1.41-fix-two-bugs-found-by-american-fuzzy-lop.patch BuildRequires: coreutils BuildRequires: findutils # gcc for standard header files @@ -51,6 +54,7 @@ represent it in CBOR. %setup -q -n CBOR-XS-%{cpan_version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 # Remove bundled libecb rm ecb.h sed -i -e '/^ecb\.h/d' MANIFEST @@ -76,6 +80,9 @@ make test %{_mandir}/man3/* %changelog +* Tue Jun 27 2017 Petr Pisar <ppi...@redhat.com> - 1.4.1-2 +- Fix an out-of-bound access and an indefinite array of hash decoding + * Mon Feb 29 2016 Petr Pisar <ppi...@redhat.com> - 1.4.1-1 - 1.41 bump -- cgit v1.1 https://src.fedoraproject.org/cgit/perl-CBOR-XS.git/commit/?h=f24&id=894a4fe285c9d1e7c3502d2125a7c685d9c0990b _______________________________________________ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org