1 --- perl-5.8.7/t/lib/warnings/sv.CVE-2005-3962-bz174684 2004-03-18 07:51:14.000000000 -0500
2 +++ perl-5.8.7/t/lib/warnings/sv 2005-12-14 12:40:55.000000000 -0500
7 -Invalid conversion in sprintf: "%z" at - line 5.
8 -Invalid conversion in sprintf: end of string at - line 7.
9 -Invalid conversion in sprintf: "%\002" at - line 9.
10 Invalid conversion in printf: "%z" at - line 4.
11 +Invalid conversion in sprintf: "%z" at - line 5.
12 Invalid conversion in printf: end of string at - line 6.
13 +Invalid conversion in sprintf: end of string at - line 7.
14 Invalid conversion in printf: "%\002" at - line 8.
15 +Invalid conversion in sprintf: "%\002" at - line 9.
19 --- perl-5.8.7/t/op/sprintf.t.CVE-2005-3962-bz174684 2003-09-01 03:41:07.000000000 -0400
20 +++ perl-5.8.7/t/op/sprintf.t 2005-12-14 12:53:09.000000000 -0500
22 >%4$K %d< >[45, 67]< >%4$K 45 INVALID<
23 >%d %K %d< >[23, 45]< >23 %K 45 INVALID<
24 >%*v*999\$d %d %d< >[11, 22, 33]< >%*v*999\$d 11 22 INVALID<
28 +>%2918905856$v2d< >''< ><
29 +>%*2918905856$v2d< >''< > UNINIT<
30 --- perl-5.8.7/t/op/sprintf2.t.CVE-2005-3962-bz174684 2004-02-09 16:37:13.000000000 -0500
31 +++ perl-5.8.7/t/op/sprintf2.t 2005-12-14 12:50:39.000000000 -0500
37 +plan tests => 7 + 256;
40 sprintf("%.40g ",0.01),
42 q(width calculation under utf8 upgrade)
46 +# Used to mangle PL_sv_undef
48 + 'print sprintf "xxx%n\n"; print undef',
49 + 'Modification of a read-only value attempted at - line 1.',
50 + { switches => [ '-w' ] },
51 + q(%n should not be able to modify read-only constants),
54 +# check %NNN$ for range bounds, especially negative 2's complement
56 + my ($warn, $bad) = (0,0);
57 + local $SIG{__WARN__} = sub {
58 + if ($_[0] =~ /uninitialized/) {
65 + my $result = sprintf join('', map("%$_\$s%" . ~$_ . '$s', 1..20)),
67 + is($result, "abcd", "only four valid values");
68 + is($warn, 36, "expected warnings");
69 + is($bad, 0, "unexpected warnings");
72 + foreach my $ord (0 .. 255) {
74 + local $SIG{__WARN__} = sub {
75 + unless ($_[0] =~ /^Invalid conversion in sprintf/ ||
76 + $_[0] =~ /^Use of uninitialized value in sprintf/) {
81 + my $r = eval {sprintf '%v' . chr $ord};
82 + is ($bad, 0, "pattern '%v' . chr $ord");
85 --- perl-5.8.7/opcode.h.CVE-2005-3962-bz174684 2005-05-27 12:29:50.000000000 -0400
86 +++ perl-5.8.7/opcode.h 2005-12-14 12:40:55.000000000 -0500
89 0x0122291c, /* index */
90 0x0122291c, /* rindex */
91 - 0x0004280f, /* sprintf */
92 + 0x0004280d, /* sprintf - WAS 0x0004280f before patch #26283 */
93 0x00042805, /* formline */
96 --- perl-5.8.7/op.c.CVE-2005-3962-bz174684 2005-04-22 10:12:32.000000000 -0400
97 +++ perl-5.8.7/op.c 2005-12-14 12:40:55.000000000 -0500
99 /* XXX might want a ck_negate() for this */
100 cUNOPo->op_first->op_private &= ~OPpCONST_STRICT;
103 +/* Removed as part of fix for CVE-2005-3962 / Upstream patch 26283 :
109 --- perl-5.8.7/makedef.pl.CVE-2005-3962-bz174684 2005-05-09 09:27:41.000000000 -0400
110 +++ perl-5.8.7/makedef.pl 2005-12-14 12:40:55.000000000 -0500
111 @@ -635,11 +635,13 @@
115 -if ($define{'PERL_MALLOC_WRAP'}) {
120 +# Removed as part of fix for CVE-2005-3962 / CVE-2005-3962 /
121 +# Upstream patch #26283
122 +# if ($define{'PERL_MALLOC_WRAP'}) {
128 unless ($define{'USE_5005THREADS'} || $define{'USE_ITHREADS'}) {
130 --- perl-5.8.7/ext/Sys/Syslog/Syslog.pm.CVE-2005-3962-bz174684 2005-04-22 07:53:56.000000000 -0400
131 +++ perl-5.8.7/ext/Sys/Syslog/Syslog.pm 2005-12-14 12:40:55.000000000 -0500
140 -our @ISA = qw(Exporter DynaLoader);
141 +our @ISA = qw(Exporter);
142 our @EXPORT = qw(openlog closelog setlogmask syslog);
143 our @EXPORT_OK = qw(setlogsock);
144 -our $VERSION = '0.06';
145 +our $VERSION = '0.08';
147 # it would be nice to try stream/unix first, since that will be
148 # most efficient. However streams are dodgy - see _syslog_send_stream
151 =item openlog $ident, $logopt, $facility
154 I<$ident> is prepended to every message. I<$logopt> contains zero or
155 more of the words I<pid>, I<ndelay>, I<nowait>. The cons option is
156 ignored, since the failover mechanism will drop down to the console
157 automatically if all other media fail. I<$facility> specifies the
158 part of the system to report about, for example LOG_USER or LOG_LOCAL0:
159 see your C<syslog(3)> documentation for the facilities available in
161 +your system. This function will croak if it can't connect to the syslog
164 B<You should use openlog() before calling syslog().>
166 +=item syslog $priority, $message
168 =item syslog $priority, $format, @args
170 -If I<$priority> permits, logs I<($format, @args)>
171 -printed as by C<printf(3V)>, with the addition that I<%m>
172 -is replaced with C<"$!"> (the latest error message).
173 +If I<$priority> permits, logs I<$message> or I<sprintf($format, @args)>
174 +with the addition that I<%m> in $message or $format is replaced with
175 +C<"$!"> (the latest error message).
177 If you didn't use openlog() before using syslog(), syslog will try to
178 guess the I<$ident> by extracting the shortest prefix of I<$format>
181 +Note that Sys::Syslog version v0.07 and older passed the $message as
182 +the formatting string to sprintf() even when no formatting arguments
183 +were provided. If the code calling syslog() might execute with older
184 +versions of this module, make sure to call the function as
185 +syslog($priority, "%s", $message) instead of syslog($priority,
186 +$message). This protects against hostile formatting sequences that
187 +might show up if $message contains tainted data.
189 =item setlogmask $mask_priority
191 Sets log mask I<$mask_priority> and returns the old mask.
196 -bootstrap Sys::Syslog $VERSION;
198 +XSLoader::load('Sys::Syslog', $VERSION);
200 our $maskpri = &LOG_UPTO(&LOG_DEBUG);
204 $whoami .= "[$$]" if our $lo_pid;
206 - $mask =~ s/(?<!%)%m/$!/g;
207 + if ($mask =~ /%m/) {
209 + # escape percent signs if sprintf will be called
210 + $err =~ s/%/%%/g if @_;
211 + # replace %m with $err, if preceded by an even number of percent signs
212 + $mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
215 $mask .= "\n" unless $mask =~ /\n$/;
216 - $message = sprintf ($mask, @_);
217 + $message = @_ ? sprintf($mask, @_) : $mask;
219 $sum = $numpri + $numfac;
220 my $buf = "<$sum>$whoami: $message\0";
221 --- perl-5.8.7/opcode.pl.CVE-2005-3962-bz174684 2004-12-01 08:54:30.000000000 -0500
222 +++ perl-5.8.7/opcode.pl 2005-12-14 12:40:55.000000000 -0500
224 index index ck_index isT@ S S S?
225 rindex rindex ck_index isT@ S S S?
227 -sprintf sprintf ck_fun mfst@ S L
228 +sprintf sprintf ck_fun mst@ S L
229 formline formline ck_fun ms@ S L
230 ord ord ck_fun ifsTu% S?
231 chr chr ck_fun fsTu% S?
232 --- perl-5.8.7/handy.h.CVE-2005-3962-bz174684 2005-04-20 12:33:28.000000000 -0400
233 +++ perl-5.8.7/handy.h 2005-12-14 12:40:55.000000000 -0500
234 @@ -598,91 +598,65 @@
240 #define NEWSV(x,len) newSV(len)
242 #ifdef PERL_MALLOC_WRAP
243 #define MEM_WRAP_CHECK(n,t) \
244 - (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
245 + (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
246 #define MEM_WRAP_CHECK_1(n,t,a) \
247 - (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
248 + (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
249 #define MEM_WRAP_CHECK_2(n,t,a,b) \
250 - (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
251 + (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
252 +#define MEM_WRAP_CHECK_(n,t) MEM_WRAP_CHECK(n,t),
254 -#define New(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
255 -#define Newc(x,v,n,t,c) (v = (MEM_WRAP_CHECK(n,t), (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
256 -#define Newz(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
257 - memzero((char*)(v), (n)*sizeof(t))
258 -#define Renew(v,n,t) \
259 - (v = (MEM_WRAP_CHECK(n,t), (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
260 -#define Renewc(v,n,t,c) \
261 - (v = (MEM_WRAP_CHECK(n,t), (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
262 -#define Safefree(d) safefree((Malloc_t)(d))
264 -#define Move(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
265 -#define Copy(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
266 -#define Zero(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memzero((char*)(d), (n) * sizeof(t)))
268 -#define MoveD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
269 -#define CopyD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
271 -#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)))
273 -/* Using bzero(), which returns void. */
274 -#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)),d)
277 -#define Poison(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
278 +#define PERL_STRLEN_ROUNDUP(n) ((void)(((n) > (MEM_SIZE)~0 - 2 * PERL_STRLEN_ROUNDUP_QUANTUM) ? (Perl_croak_nocontext(PL_memory_wrap),0):0),((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
282 #define MEM_WRAP_CHECK(n,t)
283 #define MEM_WRAP_CHECK_1(n,t,a)
284 #define MEM_WRAP_CHECK_2(n,t,a,b)
285 +#define MEM_WRAP_CHECK_(n,t)
287 +#define PERL_STRLEN_ROUNDUP(n) (((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
289 -#define New(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
290 -#define Newc(x,v,n,t,c) (v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
291 -#define Newz(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))), \
294 +#define Newx(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
295 +#define Newxc(v,n,t,c) (v = (MEM_WRAP_CHECK_(n,t) (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
296 +#define Newxz(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
297 memzero((char*)(v), (n)*sizeof(t))
298 +/* pre 5.9.x compatibility */
299 +#define New(x,v,n,t) Newx(v,n,t)
300 +#define Newc(x,v,n,t,c) Newxc(v,n,t,c)
301 +#define Newz(x,v,n,t) Newxz(v,n,t)
303 #define Renew(v,n,t) \
304 - (v = (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
305 + (v = (MEM_WRAP_CHECK_(n,t) (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
306 #define Renewc(v,n,t,c) \
307 - (v = (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
308 -#define Safefree(d) safefree((Malloc_t)(d))
310 -#define Move(s,d,n,t) (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t))
311 -#define Copy(s,d,n,t) (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
312 -#define Zero(d,n,t) (void)memzero((char*)(d), (n) * sizeof(t))
313 + (v = (MEM_WRAP_CHECK_(n,t) (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
315 -#define MoveD(s,d,n,t) memmove((char*)(d),(char*)(s), (n) * sizeof(t))
316 -#define CopyD(s,d,n,t) memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
318 -#define ZeroD(d,n,t) memzero((char*)(d), (n) * sizeof(t))
320 +#define Safefree(d) \
321 + (d ? (void)(safefree((Malloc_t)(d)), Poison(&(d), 1, Malloc_t)) : (void) 0)
323 -#define ZeroD(d,n,t) ((void)memzero((char*)(d), (n) * sizeof(t)),d)
324 +#define Safefree(d) safefree((Malloc_t)(d))
327 -#define Poison(d,n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t))
328 +#define Move(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
329 +#define Copy(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
330 +#define Zero(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memzero((char*)(d), (n) * sizeof(t)))
332 +#define MoveD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
333 +#define CopyD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
335 +#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)))
337 +/* Using bzero(), which returns void. */
338 +#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)),d)
343 -#define New(x,v,n,s) (v = Null(s *))
344 -#define Newc(x,v,n,s,c) (v = Null(s *))
345 -#define Newz(x,v,n,s) (v = Null(s *))
346 -#define Renew(v,n,s) (v = Null(s *))
347 -#define Move(s,d,n,t)
348 -#define Copy(s,d,n,t)
350 -#define MoveD(s,d,n,t) d
351 -#define CopyD(s,d,n,t) d
352 -#define ZeroD(d,n,t) d
353 -#define Poison(d,n,t)
354 -#define Safefree(d) (d) = (d)
357 +#define Poison(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
359 #ifdef USE_STRUCT_COPY
360 #define StructCopy(s,d,t) (*((t*)(d)) = *((t*)(s)))
361 --- perl-5.8.7/perl.h.CVE-2005-3962-bz174684 2005-12-14 12:40:55.000000000 -0500
362 +++ perl-5.8.7/perl.h 2005-12-14 12:40:55.000000000 -0500
365 #define MEM_SIZE Size_t
367 +/* Round all values passed to malloc up, by default to a multiple of
370 +#ifndef PERL_STRLEN_ROUNDUP_QUANTUM
371 +#define PERL_STRLEN_ROUNDUP_QUANTUM Size_t_size
374 #if defined(STANDARD_C) && defined(I_STDDEF)
376 # define STRUCT_OFFSET(s,m) offsetof(s,m)
377 @@ -3332,10 +3339,8 @@
378 INIT("\"my\" variable %s can't be in a package");
379 EXTCONST char PL_no_localize_ref[]
380 INIT("Can't localize through a reference");
381 -#ifdef PERL_MALLOC_WRAP
382 EXTCONST char PL_memory_wrap[]
383 INIT("panic: memory wrap");
386 EXTCONST char PL_uuemap[65]
387 INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_");
388 --- perl-5.8.7/sv.c.CVE-2005-3962-bz174684 2005-05-27 06:38:11.000000000 -0400
389 +++ perl-5.8.7/sv.c 2005-12-14 12:48:45.000000000 -0500
390 @@ -8589,9 +8589,12 @@
393 vecsv = va_arg(*args, SV*);
395 - vecsv = (evix ? evix <= svmax : svix < svmax) ?
396 - svargs[evix ? evix-1 : svix++] : &PL_sv_undef;
398 + vecsv = (evix > 0 && evix <= svmax)
399 + ? svargs[evix-1] : &PL_sv_undef;
401 + vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef;
403 dotstr = SvPVx(vecsv, dotstrlen);
406 @@ -8601,12 +8604,13 @@
407 vecstr = (U8*)SvPVx(vecsv,veclen);
408 vec_utf8 = DO_UTF8(vecsv);
410 - else if (efix ? efix <= svmax : svix < svmax) {
411 + else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) {
412 vecsv = svargs[efix ? efix-1 : svix++];
413 vecstr = (U8*)SvPVx(vecsv,veclen);
414 vec_utf8 = DO_UTF8(vecsv);
417 + vecsv = &PL_sv_undef;
421 @@ -8707,9 +8711,15 @@
426 - argsv = (efix ? efix <= svmax : svix < svmax) ?
427 - svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
430 + const I32 i = efix-1;
431 + argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
433 + argsv = (svix >= 0 && svix < svmax)
434 + ? svargs[svix++] : &PL_sv_undef;
440 @@ -8972,6 +8982,8 @@
449 @@ -9274,6 +9286,8 @@
451 /* calculate width before utf8_upgrade changes it */
452 have = esignlen + zeros + elen;
454 + Perl_croak_nocontext(PL_memory_wrap);
456 if (is_utf8 != has_utf8) {
458 @@ -9301,6 +9315,9 @@
459 need = (have > width ? have : width);
462 + if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1))
463 + Perl_croak_nocontext(PL_memory_wrap);
465 SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1);
467 if (esignlen && fill == '0') {
468 --- perl-5.8.7/globvar.sym.CVE-2005-3962-bz174684 2000-08-14 11:22:14.000000000 -0400
469 +++ perl-5.8.7/globvar.sym 2005-12-14 12:51:12.000000000 -0500