Received: by mail.netbsd.org (Postfix, from userid 605) id DB91F84D85; Sat, 23 Sep 2017 05:29:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 6D95A84D36 for ; Sat, 23 Sep 2017 05:29:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 7eh8ToJ4XD_k for ; Sat, 23 Sep 2017 05:29:07 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id D734184CF0 for ; Sat, 23 Sep 2017 05:29:07 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id D2F0FFA9C; Sat, 23 Sep 2017 05:29:07 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_150614454771380" MIME-Version: 1.0 Date: Sat, 23 Sep 2017 05:29:07 +0000 From: "Maya Rashish" Subject: CVS commit: pkgsrc/lang/perl5 To: pkgsrc-changes@NetBSD.org Reply-To: maya@netbsd.org X-Mailer: log_accum Message-Id: <20170923052907.D2F0FFA9C@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_150614454771380 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: maya Date: Sat Sep 23 05:29:07 UTC 2017 Modified Files: pkgsrc/lang/perl5: Makefile distinfo Added Files: pkgsrc/lang/perl5/patches: patch-regcomp.c Log Message: perl5: patch for CVE-2017-12837, CVE-2017-12883 CVE-2017-12837: heap buffer overflow in regular expression compiler CVE-2017-12883: buffer over-read in regular expression parser From upstream commits: https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5 bump PKGREVISION To generate a diff of this commit: cvs rdiff -u -r1.240 -r1.241 pkgsrc/lang/perl5/Makefile cvs rdiff -u -r1.144 -r1.145 pkgsrc/lang/perl5/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/lang/perl5/patches/patch-regcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_150614454771380 Content-Disposition: inline Content-Length: 3821 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/lang/perl5/Makefile diff -u pkgsrc/lang/perl5/Makefile:1.240 pkgsrc/lang/perl5/Makefile:1.241 --- pkgsrc/lang/perl5/Makefile:1.240 Fri Jul 7 05:54:24 2017 +++ pkgsrc/lang/perl5/Makefile Sat Sep 23 05:29:07 2017 @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.240 2017/07/07 05:54:24 wiz Exp $ +# $NetBSD: Makefile,v 1.241 2017/09/23 05:29:07 maya Exp $ .include "license.mk" .include "Makefile.common" COMMENT= Practical Extraction and Report Language -PKGREVISION= 2 +PKGREVISION= 3 CONFLICTS+= perl-base-[0-9]* perl-thread-[0-9]* Index: pkgsrc/lang/perl5/distinfo diff -u pkgsrc/lang/perl5/distinfo:1.144 pkgsrc/lang/perl5/distinfo:1.145 --- pkgsrc/lang/perl5/distinfo:1.144 Fri Jul 7 05:54:24 2017 +++ pkgsrc/lang/perl5/distinfo Sat Sep 23 05:29:07 2017 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.144 2017/07/07 05:54:24 wiz Exp $ +$NetBSD: distinfo,v 1.145 2017/09/23 05:29:07 maya Exp $ SHA1 (perl-5.26.0.tar.bz2) = 2ca1b28f2c3ed4cc3b74be89d150ed0377f0336a RMD160 (perl-5.26.0.tar.bz2) = a853a1ec299d7c6ba8239e8ed444ee6d922b8938 @@ -24,5 +24,6 @@ SHA1 (patch-hints_cygwin.sh) = 1b21d927d SHA1 (patch-hints_netbsd.sh) = 0d549a48800372d75fe34b783529a78cba90f646 SHA1 (patch-hints_sco.sh) = 8d43cdc0632799e1cdb5dc6fdb968052a9ae4216 SHA1 (patch-hints_solaris__2.sh) = 0e54889648a6f0f2a0232c5e01bef89d245c213d +SHA1 (patch-regcomp.c) = e217518eda87c806962fe9dd7ef1010353919d90 SHA1 (patch-ta) = a9d13eeec22733e4087942f217a0d47a19498a6f SHA1 (patch-ze) = d6fb718a1417e37a7d6bee1ae89fe2beec51c81b Added files: Index: pkgsrc/lang/perl5/patches/patch-regcomp.c diff -u /dev/null pkgsrc/lang/perl5/patches/patch-regcomp.c:1.1 --- /dev/null Sat Sep 23 05:29:07 2017 +++ pkgsrc/lang/perl5/patches/patch-regcomp.c Sat Sep 23 05:29:07 2017 @@ -0,0 +1,51 @@ +$NetBSD: patch-regcomp.c,v 1.1 2017/09/23 05:29:07 maya Exp $ + +Fixes for CVE-2017-12837: heap buffer overflow in regular expression compiler +CVE-2017-12883 Buffer over-read in regular expression parser + +From 2be4edede4ae226e2eebd4eff28cedd2041f300f Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Fri, 25 Aug 2017 11:33:58 -0600 +Subject: [PATCH] PATCH: [perl #131598] + +The cause of this is that the vFAIL macro uses RExC_parse, and that +variable has just been changed in preparation for code after the vFAIL. +The solution is to not change RExC_parse until after the vFAIL. + +This is a case where the macro hides stuff that can bite you. + +From 96c83ed78aeea1a0496dd2b2d935869a822dc8a5 Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Wed, 21 Jun 2017 11:33:37 -0600 +Subject: [PATCH] regcomp [perl #131582] + + +--- regcomp.c.orig 2017-04-19 13:37:08.000000000 +0000 ++++ regcomp.c +@@ -12159,14 +12159,16 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pREx + } + sv_catpv(substitute_parse, ")"); + +- RExC_parse = RExC_start = RExC_adjusted_start = SvPV(substitute_parse, +- len); ++ len = SvCUR(substitute_parse); + + /* Don't allow empty number */ + if (len < (STRLEN) 8) { + RExC_parse = endbrace; + vFAIL("Invalid hexadecimal number in \\N{U+...}"); + } ++ ++ RExC_parse = RExC_start = RExC_adjusted_start ++ = SvPV_nolen(substitute_parse); + RExC_end = RExC_parse + len; + + /* The values are Unicode, and therefore not subject to recoding, but +@@ -13229,6 +13231,7 @@ S_regatom(pTHX_ RExC_state_t *pRExC_stat + goto loopdone; + } + p = RExC_parse; ++ RExC_parse = parse_start; + if (ender > 0xff) { + REQUIRE_UTF8(flagp); + } --_----------=_150614454771380--