aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/perl/APKBUILD23
-rw-r--r--main/perl/CVE-2017-12837.patch11
-rw-r--r--main/perl/CVE-2017-12883.patch28
3 files changed, 57 insertions, 5 deletions
diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD
index 6db1db1457..a559a81f1a 100644
--- a/main/perl/APKBUILD
+++ b/main/perl/APKBUILD
@@ -1,13 +1,15 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=perl
-pkgver=5.22.1
+pkgver=5.22.3
pkgrel=0
pkgdesc="Larry Wall's Practical Extraction and Report Language"
url=http://www.perl.org
arch="all"
license="Artistic GPL2"
source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz
+ CVE-2017-12837.patch
+ CVE-2017-12883.patch
"
options="!fhs"
@@ -16,6 +18,12 @@ depends_dev="perl"
makedepends=
subpackages="$pkgname-dev $pkgname-doc miniperl"
+# secfixes:
+# 5.22.3-r0:
+# - CVE-2016-1238
+# - CVE-2017-12837
+# - CVE-2017-12883
+
_builddir="$srcdir/$pkgname-$pkgver"
prepare() {
@@ -96,7 +104,12 @@ dev() {
done
}
-
-md5sums="19295bbb775a3c36123161b9bf4892f1 perl-5.22.1.tar.gz"
-sha256sums="2b475d0849d54c4250e9cba4241b7b7291cffb45dfd083b677ca7b5d38118f27 perl-5.22.1.tar.gz"
-sha512sums="cead35f0dfea61104066a9e8e00bde7b33783f5f6cbef6c3307c3425453aec14c37775e9284b1235e9f14d76cae3455e3e215c16e31eee780917d9ec9490346a perl-5.22.1.tar.gz"
+md5sums="aa4f236dc2fc6f88b871436b8d0fda95 perl-5.22.3.tar.gz
+87bcffe2858d6a4d231e041bec899c5c CVE-2017-12837.patch
+da495ec183af5a9386274587b4733620 CVE-2017-12883.patch"
+sha256sums="1b351fb4df7e62ec3c8b2a9f516103595b2601291f659fef1bbe3917e8410083 perl-5.22.3.tar.gz
+f8b16e586981ccd60308aaaa44243c1933536f373241f196f0a8f260893903ad CVE-2017-12837.patch
+42197cd029998b56aa90d3fff9acee29f4f58ac9f8a240f96fd04a231e2bcb4b CVE-2017-12883.patch"
+sha512sums="e0ec42ed99f565ee045ce188a2a22fc294f043a6983fe7dcc896ef5df30a05124f1ba0faea62ce128df769f9f12fae0f11422c7f63e95470534689ebbcbef272 perl-5.22.3.tar.gz
+3125c66f7a810c24aad8ea7228cda9254f854b6cced0479c9d297879ccb8561469cf99d9b2a95df5fc1d23b485999d720d2cf1e2385d93510a700514e610e302 CVE-2017-12837.patch
+40a3cfb663c7f1946a7b24dc97defd8f32889efb5d611e6ebef90b3dd3a5073de14728887ce028dbdd95aeb46e2dd05a0fa690ea580d6d108df751e43e1662f6 CVE-2017-12883.patch"
diff --git a/main/perl/CVE-2017-12837.patch b/main/perl/CVE-2017-12837.patch
new file mode 100644
index 0000000000..e4ec80fca1
--- /dev/null
+++ b/main/perl/CVE-2017-12837.patch
@@ -0,0 +1,11 @@
+--- a/regcomp.c
++++ b/regcomp.c
+Upstream commit 96c83ed78aeea1a0496dd2b2d935869a822dc8a5
+@@ -13318,6 +13318,7 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+ goto loopdone;
+ }
+ p = RExC_parse;
++ RExC_parse = parse_start;
+ if (ender > 0xff) {
+ REQUIRE_UTF8(flagp);
+ }
diff --git a/main/perl/CVE-2017-12883.patch b/main/perl/CVE-2017-12883.patch
new file mode 100644
index 0000000000..9f18f1c66b
--- /dev/null
+++ b/main/perl/CVE-2017-12883.patch
@@ -0,0 +1,28 @@
+--- a/regcomp.c
++++ b/regcomp.c
+Fixes CVE-2017-12883 for Perl 5.22
+Upstream commit 2be4edede4ae226e2eebd4eff28cedd2041f300f
+
+Note we had to change this patch slightly to get it to work with Perl 5.22.
+We did this by taking their official patch URL (https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c)
+and changing the first commit to be the Perl 5.22.4 commit (a26666a1317770d8a2228ac3657ba58020c3511f),
+which resulted in a URL of https://perl5.git.perl.org/perl.git/blobdiff/a26666a1317770d8a2228ac3657ba58020c3511f..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c.
+We then cherry picked this one change from that diff.
+@@ -11303,13 +11303,15 @@
+ }
+ sv_catpv(substitute_parse, ")");
+
+- RExC_parse = SvPV(substitute_parse, len);
++ len = SvCUR(substitute_parse);
+
+ /* Don't allow empty number */
+ if (len < (STRLEN) 8) {
+ RExC_parse = endbrace;
+ vFAIL("Invalid hexadecimal number in \\N{U+...}");
+ }
++
++ RExC_parse = SvPV_nolen(substitute_parse);
+ RExC_end = RExC_parse + len;
+
+ /* The values are Unicode, and therefore not subject to recoding, but
+