diff options
| author | root <root@rshg054.dnsready.net> | 2012-10-31 01:35:35 -0700 |
|---|---|---|
| committer | root <root@rshg054.dnsready.net> | 2012-10-31 01:35:35 -0700 |
| commit | 5827948456201df72a1bd73e87977c569129fb27 (patch) | |
| tree | 4842639ddc958690e68f74c496ea60844200450b /core/perl | |
| parent | 455295fdb5009a8cd7b033a93e01f7450fd3087b (diff) | |
Wed Oct 31 01:34:59 PDT 2012
Diffstat (limited to 'core/perl')
| -rw-r--r-- | core/perl/PKGBUILD | 11 | ||||
| -rw-r--r-- | core/perl/cve-2012-5195.patch | 29 |
2 files changed, 37 insertions, 3 deletions
diff --git a/core/perl/PKGBUILD b/core/perl/PKGBUILD index f8fe56971..5052a5c65 100644 --- a/core/perl/PKGBUILD +++ b/core/perl/PKGBUILD @@ -1,11 +1,12 @@ -# $Id: PKGBUILD 165149 2012-08-11 20:00:01Z bluewind $ -# Maintainer: Angel Velasquez <angvp@archlinux.org> +# $Id: PKGBUILD 169818 2012-10-30 11:27:57Z bluewind $ +# Maintainer: Florian Pritz <bluewind@xinu.at> +# Contributor: Angel Velasquez <angvp@archlinux.org> # Contributor: kevin <kevin.archlinux.org> # Contributor: judd <jvinet.zeroflux.org> # Contributor: francois <francois.archlinux.org> pkgname=perl pkgver=5.16.1 -pkgrel=1 +pkgrel=2 pkgdesc="A highly capable, feature-rich programming language" arch=(i686 x86_64) license=('GPL' 'PerlArtistic') @@ -16,12 +17,14 @@ changelog=ChangeLog source=(http://www.cpan.org/src/5.0/perl-${pkgver}.tar.bz2 perlbin.sh perlbin.csh +cve-2012-5195.patch provides.pl) install=perl.install options=('makeflags' '!purge') md5sums=('b87358e2c461a898cfd7c334e7dd8993' '5ed2542fdb9a60682f215bd33701e61a' '1f0cbbee783e8a6d32f01be5118e0d5e' + 'ba61b3b393b763b4f0b9e2f06757815a' '999c3eea6464860704abbb055a0f0896') # workaround to let the integrity check find the correct provides array @@ -32,6 +35,8 @@ fi build() { cd ${srcdir}/${pkgname}-${pkgver} + patch -i "$srcdir/cve-2012-5195.patch" -p1 + if [ "${CARCH}" = "x86_64" ]; then # for x86_64 arch_opts="-Dcccdlflags='-fPIC'" diff --git a/core/perl/cve-2012-5195.patch b/core/perl/cve-2012-5195.patch new file mode 100644 index 000000000..a995194c6 --- /dev/null +++ b/core/perl/cve-2012-5195.patch @@ -0,0 +1,29 @@ +commit b11b0d3ef18a35595a07a06c91fa4f27c9cacf5b +Author: Andy Dougherty <doughera@lafayette.edu> +Date: Thu Sep 27 09:52:18 2012 -0400 + + avoid calling memset with a negative count + + Poorly written perl code that allows an attacker to specify the count to + perl's 'x' string repeat operator can already cause a memory exhaustion + denial-of-service attack. A flaw in versions of perl before 5.15.5 can + escalate that into a heap buffer overrun; coupled with versions of glibc + before 2.16, it possibly allows the execution of arbitrary code. + + The flaw addressed to this commit has been assigned identifier + CVE-2012-5195. + +diff --git a/util.c b/util.c +index 171456f..34f5fa9 100644 +--- a/util.c ++++ b/util.c +@@ -3416,6 +3416,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I + { + PERL_ARGS_ASSERT_REPEATCPY; + ++ if (count < 0) ++ Perl_croak_nocontext("%s",PL_memory_wrap); ++ + if (len == 1) + memset(to, *from, count); + else if (count) { |