New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-12883 and Perl 5.22 #16157
Comments
From z5t1@z5t1.comTo whom it may concern: I have backported your patch for CVE-2017-12883 to Perl 5.22 Sincerely, Scott Court |
From z5t1@z5t1.comCVE-2017-12883.patch--- a/regcomp.c
+++ b/regcomp.c
Fixes CVE-2017-12883 for Perl 5.22
Upstream commit 2be4edede4ae226e2eebd4eff28cedd2041f300f
Note we had to change this patch slightly to get it to work with Perl 5.22.
We did this by taking their official patch URL (https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c)
and changing the first commit to be the Perl 5.22.4 commit (a26666a1317770d8a2228ac3657ba58020c3511f),
which resulted in a URL of https://perl5.git.perl.org/perl.git/blobdiff/a26666a1317770d8a2228ac3657ba58020c3511f..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c.
We then cherry picked this one change from that diff.
@@ -11303,13 +11303,15 @@
}
sv_catpv(substitute_parse, ")");
- RExC_parse = SvPV(substitute_parse, len);
+ len = SvCUR(substitute_parse);
/* Don't allow empty number */
if (len < (STRLEN) 8) {
RExC_parse = endbrace;
vFAIL("Invalid hexadecimal number in \\N{U+...}");
}
+
+ RExC_parse = SvPV_nolen(substitute_parse);
RExC_end = RExC_parse + len;
/* The values are Unicode, and therefore not subject to recoding, but
|
From @jkeenanOn Wed, 20 Sep 2017 15:38:31 GMT, z5t1@z5t1.com wrote:
I have made this patch available for smoke testing in the following branch: smoke-me/jkeenan/132134-cve-2017-12883 Whether it is applied or not is for discussion. Thank you very much. -- |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Wed, 20 Sep 2017 17:00:17 -0700, jkeenan wrote:
That looks fine to me. Tony |
What to do about this ticket? |
there was no 5.22.5, this patch was made on top of 5.22.4, id say it can be closed as we aren't going to create a 5.22.5 at this point (afaiui) |
The smoke-me branch mentioned in this ticket no longer exists, but it was run and reports were collated here. From that page we can locate this commit which holds the OP's "Backport patch for CVE-2017-12883 to Perl 5.22." My brief eyeballing of the patch suggests that regcomp.c has changed considerably in 5 years, so the patch wouldn't apply to blead. And, as @demerphq implies, 5.22 is long out-of-support. @demerphq, I would suggest that you take one look at this commit to see if there's anything of interest in it, then proceed to close it. |
FWIW, I have a copy of your smoke-me, as does Richard Leach in his fork. Anyway, this was a backport of 2be4ede. I guess we should have released a 5.22.5 but it never happened. From the POV of blead @khwilliamson has already sorted this. He wrote the patch that was backported. Closing. |
Migrated from rt.perl.org#132134 (status was 'open')
Searchable as RT132134$
The text was updated successfully, but these errors were encountered: