perl: ensure File::Spec::canonpath() preserves taint [CVE-2015-8607]

Beginning in PathTools 3.47 and/or perl 5.20.0, the File::Spec::canonpath()
routine returned untained strings even if passed tainted input. This defect
undermines the guarantee of taint propagation, which is sometimes used to
ensure that unvalidated user input does not reach sensitive code.

This defect was found and reported by David Golden of MongoDB, and a patch
was provided by Tony Cook.

References:

 * https://rt.perl.org/Public/Bug/Display.html?id=126862
 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8607

Signed-off-by: Jo-Philipp Wich <redacted>

diff --git a/lang/perl/Makefile b/lang/perl/Makefile
index 39a018ad936ccb788eaca9abee26a8d5ffde6793..3a96e6b71bf4bc09e551d507e8e4a69f22fc85cf 100644 (file)
--- a/lang/perl/Makefile
+++ b/lang/perl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=perl
 PKG_VERSION:=5.22.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=ftp://ftp.cpan.org/pub/CPAN/src/5.0 \
                http://www.cpan.org/src/5.0 \

diff --git a/lang/perl/patches/020-host-libc-dir-moved-debian+derivatives.patch b/lang/perl/patches/020-host-libc-dir-moved-debian+derivatives.patch
index 761f8b9273469f4cae0ddfb77445b7a8f8838076..956466d99ae701e0b55e90521ba07a55ccb10f19 100644 (file)
--- a/lang/perl/patches/020-host-libc-dir-moved-debian+derivatives.patch
+++ b/lang/perl/patches/020-host-libc-dir-moved-debian+derivatives.patch
@@ -1,6 +1,6 @@
 --- a/hints/linux.sh
 +++ b/hints/linux.sh
-@@ -204,6 +204,24 @@ case "$libc" in
+@@ -221,6 +221,24 @@ case "$libc" in
      ;;
  esac
  

diff --git a/lang/perl/patches/110-always_use_miniperl.patch b/lang/perl/patches/110-always_use_miniperl.patch
index f8f8a65deb5c3b24f7db85df5fc2c173ddd67cab..9f9f812197d35467f2f32a9c18ea4bde6a8c48b4 100644 (file)
--- a/lang/perl/patches/110-always_use_miniperl.patch
+++ b/lang/perl/patches/110-always_use_miniperl.patch
@@ -1,6 +1,6 @@
 --- a/Makefile.SH
 +++ b/Makefile.SH
-@@ -315,22 +315,11 @@ MINIPERL = \$(LDLIBPTH) ./miniperl\$(EXE
+@@ -316,22 +316,11 @@ MANIFEST_SRT = MANIFEST.srt
  
  !GROK!THIS!
  

diff --git a/lang/perl/patches/700-tie_fetch_count_t-handle_missing_crypt.patch b/lang/perl/patches/700-tie_fetch_count_t-handle_missing_crypt.patch
index 32914dde72cab619853386557a059a49efb6ec6a..f90e5d9ca73c21ace03493ca0a5cfbd9a433af3c 100644 (file)
--- a/lang/perl/patches/700-tie_fetch_count_t-handle_missing_crypt.patch
+++ b/lang/perl/patches/700-tie_fetch_count_t-handle_missing_crypt.patch
@@ -1,7 +1,5 @@
-Index: perl-5.22.0/t/op/tie_fetch_count.t
-===================================================================
---- perl-5.22.0.orig/t/op/tie_fetch_count.t
-+++ perl-5.22.0/t/op/tie_fetch_count.t
+--- a/t/op/tie_fetch_count.t
++++ b/t/op/tie_fetch_count.t
 @@ -250,12 +250,17 @@ for ([chdir=>''],[chmod=>'0,'],[chown=>'
      check_count "$op $args\\\$tied_glob$postargs";
  }

diff --git a/lang/perl/patches/710-threads_join-skip_ps_on_busybox.patch b/lang/perl/patches/710-threads_join-skip_ps_on_busybox.patch
index 27ee75749a76f50f2235ee7f65a0feb877464cc8..e60ee8cc1f10808f0a54a55e8160f0b206b54f21 100644 (file)
--- a/lang/perl/patches/710-threads_join-skip_ps_on_busybox.patch
+++ b/lang/perl/patches/710-threads_join-skip_ps_on_busybox.patch
@@ -5,10 +5,8 @@ We can't provide either with busybox. Just skip it for now.
 
 Signed-off-by: Marcel Denia <naoir@gmx.net>
 
-Index: perl-5.22.0/dist/threads/t/join.t
-===================================================================
---- perl-5.22.0.orig/dist/threads/t/join.t
-+++ perl-5.22.0/dist/threads/t/join.t
+--- a/dist/threads/t/join.t
++++ b/dist/threads/t/join.t
 @@ -110,36 +110,41 @@ sub skip {
  
  # We parse ps output so this is OS-dependent.

diff --git a/lang/perl/patches/900-CVE-2015-8607.patch b/lang/perl/patches/900-CVE-2015-8607.patch
new file mode 100644 (file)
index 0000000..5f1c1cb
--- /dev/null
+++ b/lang/perl/patches/900-CVE-2015-8607.patch
@@ -0,0 +1,57 @@
+From b6307f728a4f842a54ea96959e386c7daa92ece1 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 15 Dec 2015 10:56:54 +1100
+Subject: [perl #126862] ensure File::Spec::canonpath() preserves taint
+
+Previously the unix specific XS implementation of canonpath() would
+return an untainted path when supplied a tainted path.
+
+For the empty string case, newSVpvs() already sets taint as needed on
+its result.
+---
+ dist/PathTools/Cwd.xs    |  1 +
+ dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/dist/PathTools/Cwd.xs
++++ b/dist/PathTools/Cwd.xs
+@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
+     *o = 0;
+     SvPOK_on(retval);
+     SvCUR_set(retval, o - SvPVX(retval));
++    SvTAINT(retval);
+     return retval;
+ }
+ 
+--- a/dist/PathTools/t/taint.t
++++ b/dist/PathTools/t/taint.t
+@@ -12,7 +12,7 @@ use Test::More;
+ BEGIN {
+     plan(
+         ${^TAINT}
+-        ? (tests => 17)
++        ? (tests => 21)
+         : (skip_all => "A perl without taint support")
+     );
+ }
+@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
+ 
+ # Previous versions of Cwd tainted $^O
+ is !tainted($^O), 1, "\$^O should not be tainted";
++
++{
++    # [perl #126862] canonpath() loses taint
++    my $tainted = substr($ENV{PATH}, 0, 0);
++    # yes, getcwd()'s result should be tainted, and is tested above
++    # but be sure
++    ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
++        "canonpath() keeps taint on non-empty string";
++    ok tainted(File::Spec->canonpath($tainted)),
++        "canonpath() keeps taint on empty string";
++
++    (Cwd::getcwd() =~ /^(.*)/);
++    my $untainted = $1;
++    ok !tainted($untainted), "make sure our untainted value is untainted";
++    ok !tainted(File::Spec->canonpath($untainted)),
++        "canonpath() doesn't add taint to untainted string";
++}