Fix CVE-2023-47100

(cherry picked from commit 0c055dc9cd9a9f25686a3d74a703830002fbc396)
2023-12-11 19:34:18 +08:00 · 2023-12-11 19:34:18 +08:00 · 045ec5d148
commit 045ec5d148
parent c3c3a145b9
2 changed files with 16 additions and 7 deletions
--- a/backport-CVE-2023-47100-CVE-2023-47038.patch
+++ b/backport-CVE-2023-47100-CVE-2023-47038.patch
@ -42,10 +42,14 @@ This commit also does white-space adjustment so that things align
 vertically for readability.

 This can be easily backported to earlier Perl releases.
+
+Reference:https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
+Conflict:Context adaptation
+
 ---
 regcomp.c           | 17 +++++++++++------
- t/re/pat_advanced.t |  7 +++++++
- 2 files changed, 18 insertions(+), 6 deletions(-)
+ t/re/pat_advanced.t |  8 ++++++++
+ 2 files changed, 19 insertions(+), 6 deletions(-)

 diff --git a/regcomp.c b/regcomp.c
 index f5e5f58..0d3e9a9 100644
@ -92,7 +96,7 @@ index f5e5f58..0d3e9a9 100644
         if (cur == '_') {
             if (    stricter
 -                && (     i == 0 || (int) i == equals_pos || i == name_len- 1
-+                && ( i == i_zero || (int) i == equals_pos || i == name_len- 1
+                && (   i == i_zero || (int) i == equals_pos || i == name_len- 1
                     || ! isDIGIT_A(name[i-1]) || ! isDIGIT_A(name[i+1])))
             {
                 lookup_name[j++] = '_';
@ -100,7 +104,7 @@ diff --git a/t/re/pat_advanced.t b/t/re/pat_advanced.t
 index d679870..3b79eec 100644
 --- a/t/re/pat_advanced.t
 +++ b/t/re/pat_advanced.t
-@@ -2565,6 +2565,13 @@ EOF
+@@ -2565,6 +2565,14 @@ EOF
                        {}, "GH #17278");
     }
 
@ -111,8 +115,10 @@ index d679870..3b79eec 100644
 +        fresh_perl_is('qr/\p{utf8::_perl_surrogate}/', "",
 +                        {}, "perl-security#140");
 +    }
+
 
     # !!! NOTE that tests that aren't at all likely to crash perl should go
     # a ways above, above these last ones.  There's a comment there that, like
 -- 
-2.33.0
+2.33.0
+
--- a/perl.spec
+++ b/perl.spec
@ -22,7 +22,7 @@ Name:           perl
 License:        (GPL+ or Artistic) and (GPLv2+ or Artistic) and MIT and UCD and Public Domain and BSD
 Epoch:          4
 Version:        %{perl_version}
-Release:        12
+Release:        13
 Summary:        A highly capable, feature-rich programming language
 Url:            https://www.perl.org/
 Source0:        https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz
@ -41,7 +41,7 @@ Patch6000: backport-CVE-2021-36770.patch
 Patch6001: backport-CVE-2023-31484.patch
 Patch6002: backport-CVE-2023-31486.patch
 Patch6003: backport-CVE-2022-48522.patch
-Patch6004: backport-CVE-2023-47038.patch
+Patch6004: backport-CVE-2023-47100-CVE-2023-47038.patch
 Patch6005: backport-CVE-2023-47039.patch

 BuildRequires:  gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel perl-File-Compare perl-File-Find 
@ -493,6 +493,9 @@ make test_harness
 %{_mandir}/man3/*

 %changelog
+* Mon Dec 11 2023 huyubiao <huyubiao@huawei.com> - 4:5.34.0-13
+- Fix CVE-2023-47100
+
 * Fri Dec 8 2023 hongjinghao <hongjinghao@huawei.com> - 4:5.34.0-12
 - Fix CVE-2023-47039