packages/perl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!147 [同步PR-142] fix CVE-2024-56406

Browse Source 
From: @fly_fzc 
Reviewed-by: @xujing99 
Signed-off-by: @xujing99
This commit is contained in:
openeuler-ci-bot 2025-05-07 01:21:30 +00:00 committed by Gitee
commit 4fa4d31730
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
backport-CVE-2024-56406.patch Normal file
View File

@ -0,0 +1,26 @@
From 87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Wed, 18 Dec 2024 18:25:29 -0700
Subject: [PATCH] CVE-2024-56406: Heap-buffer-overflow with tr//
This was due to underallocating needed space. If the translation forces
something to become UTF-8 that is initially bytes, that UTF-8 could
now require two bytes where previously a single one would do.
(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
---
op.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/op.c b/op.c
index 69ff030e88eb..298b2926338a 100644
--- a/op.c
+++ b/op.c
@@ -6520,6 +6520,7 @@
* same time. But otherwise one crosses before the other */
if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
can_force_utf8 = TRUE;
+ max_expansion = MAX(2, max_expansion);
}
}

6
perl.spec
View File

@ -22,7 +22,7 @@ Name: perl
License: (GPL+ or Artistic) and (GPLv2+ or Artistic) and MIT and UCD and Public Domain and BSD License: (GPL+ or Artistic) and (GPLv2+ or Artistic) and MIT and UCD and Public Domain and BSD
Epoch: 4 Epoch: 4
Version: %{perl_version} Version: %{perl_version}
Release: 14 Release: 15
Summary: A highly capable, feature-rich programming language Summary: A highly capable, feature-rich programming language
Url: https://www.perl.org/ Url: https://www.perl.org/
Source0: https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz Source0: https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz
@ -44,6 +44,7 @@ Patch6003: backport-CVE-2022-48522.patch
Patch6004: backport-CVE-2023-47100-CVE-2023-47038.patch Patch6004: backport-CVE-2023-47100-CVE-2023-47038.patch
Patch6005: backport-CVE-2023-47039.patch Patch6005: backport-CVE-2023-47039.patch
Patch6006: fix-test-case-failure-caused-by-zlib.patch Patch6006: fix-test-case-failure-caused-by-zlib.patch
Patch6007: backport-CVE-2024-56406.patch
BuildRequires: gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel perl-File-Compare perl-File-Find BuildRequires: gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel perl-File-Compare perl-File-Find
BuildRequires: zlib-devel systemtap-sdt-devel perl-interpreter perl-generators BuildRequires: zlib-devel systemtap-sdt-devel perl-interpreter perl-generators
@ -494,6 +495,9 @@ make test_harness
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Mon Apr 14 2025 Funda Wang <fundawang@yeah.net> - 4:5.34.0-15
- fix CVE-2024-56406
* Tue Jun 4 2024 hongjinghao <hongjinghao@huawei.com> - 4:5.34.0-14 * Tue Jun 4 2024 hongjinghao <hongjinghao@huawei.com> - 4:5.34.0-14
- fix test case failure caused by zlib - fix test case failure caused by zlib