1 files changed, 45 insertions, 0 deletions

diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
new file mode 100644
index 0000000000..e0dcf412bb
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
@@ -0,0 +1,45 @@
+perl:fix for CVE-2010-4777
+
+Upstream-Status: Backport
+    
+The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
+5.14.0, and other versions, when running with debugging enabled,
+allows context-dependent attackers to cause a denial of service
+(assertion failure and application exit) via crafted input that
+is not properly handled when using certain regular expressions,
+as demonstrated by causing SpamAssassin and OCSInventory to
+crash.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
+
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
+ 
+ 		if (gvp) {
+ 		    GV * const gv = *gvp;
+-		    if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
+-			save_scalar(gv);
++		    if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
++			/* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
++			SV ** const sptr = &GvSVn(gv);
++			SV * osv = *sptr;
++			SV * nsv = newSV(0);
++			save_pushptrptr(SvREFCNT_inc_simple(gv),
++			SvREFCNT_inc(osv), SAVEt_SV);
++			if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
++			    SvTYPE(osv) != SVt_PVGV) {
++			    if (SvGMAGICAL(osv)) {
++				const bool oldtainted = PL_tainted;
++				SvFLAGS(osv) |= (SvFLAGS(osv) &
++				    (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT;
++				PL_tainted = oldtainted;
++			    }
++			    mg_localize(osv, nsv, 1);
++			}
++			*sptr = nsv;
++		    }
+ 		}
+ 	    }
+ 	}