packages/perl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!143 [sync] PR-141: fix CVE-2024-56406

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @xujing99 
Signed-off-by: @xujing99
This commit is contained in:
openeuler-ci-bot 2025-04-28 02:43:28 +00:00 committed by Gitee
commit ad42734f6b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
backport-CVE-2024-56406.patch Normal file
View File

@ -0,0 +1,26 @@
From 87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Wed, 18 Dec 2024 18:25:29 -0700
Subject: [PATCH] CVE-2024-56406: Heap-buffer-overflow with tr//
This was due to underallocating needed space. If the translation forces
something to become UTF-8 that is initially bytes, that UTF-8 could
now require two bytes where previously a single one would do.
(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
---
op.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/op.c b/op.c
index 69ff030e88eb..298b2926338a 100644
--- a/op.c
+++ b/op.c
@@ -6520,6 +6520,7 @@
* same time. But otherwise one crosses before the other */
if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
can_force_utf8 = TRUE;
+ max_expansion = MAX(2, max_expansion);
}
}

6
perl.spec
View File

@ -24,7 +24,7 @@ Name: perl
License: (GPL-1.0-or-later or Artistic-1.0-perl) and (GPL-2.0-or-later or Artistic-1.0-perl) and MIT and UCD and Public Domain and BSD License: (GPL-1.0-or-later or Artistic-1.0-perl) and (GPL-2.0-or-later or Artistic-1.0-perl) and MIT and UCD and Public Domain and BSD
Epoch: 4 Epoch: 4
Version: %{perl_version} Version: %{perl_version}
Release: 8 Release: 9
Summary: A highly capable, feature-rich programming language Summary: A highly capable, feature-rich programming language
Url: https://www.perl.org/ Url: https://www.perl.org/
Source0: https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz Source0: https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz
@ -38,6 +38,7 @@ Patch6: disable-rpath-by-default.patch
Patch7: backport-CVE-2023-47100-CVE-2023-47038.patch Patch7: backport-CVE-2023-47100-CVE-2023-47038.patch
Patch8: backport-CVE-2023-47039.patch Patch8: backport-CVE-2023-47039.patch
Patch9: perl-5.38.0-Link-XS-modules-to-libperl.so-with-EU-MM.patch Patch9: perl-5.38.0-Link-XS-modules-to-libperl.so-with-EU-MM.patch
Patch10: backport-CVE-2024-56406.patch
BuildRequires: gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel perl-File-Compare perl-File-Find BuildRequires: gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel perl-File-Compare perl-File-Find
BuildRequires: zlib-devel perl-interpreter perl-generators BuildRequires: zlib-devel perl-interpreter perl-generators
@ -497,6 +498,9 @@ make test_harness
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Mon Apr 14 2025 Funda Wang <fundawang@yeah.net> - 4:5.38.0-9
- fix CVE-2024-56406
* Tue Sep 3 2024 hongjinghao <hongjinghao@huawei.com> - 4:5.38.0-8 * Tue Sep 3 2024 hongjinghao <hongjinghao@huawei.com> - 4:5.38.0-8
- Delete the man of File::Compare and File::Find from the main package. - Delete the man of File::Compare and File::Find from the main package.