pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/lang/perl5



Module Name:    pkgsrc
Committed By:   wiz
Date:           Tue Jun 16 07:12:10 UTC 2026

Modified Files:
        pkgsrc/lang/perl5: Makefile distinfo
Added Files:
        pkgsrc/lang/perl5/patches: patch-cpan_Socket_Socket.xs

Log Message:
perl: fix security issue in Socket module

Using upstream patch.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.293 -r1.294 pkgsrc/lang/perl5/Makefile
cvs rdiff -u -r1.198 -r1.199 pkgsrc/lang/perl5/distinfo
cvs rdiff -u -r0 -r1.3 pkgsrc/lang/perl5/patches/patch-cpan_Socket_Socket.xs

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/perl5/Makefile
diff -u pkgsrc/lang/perl5/Makefile:1.293 pkgsrc/lang/perl5/Makefile:1.294
--- pkgsrc/lang/perl5/Makefile:1.293    Wed May 27 22:35:30 2026
+++ pkgsrc/lang/perl5/Makefile  Tue Jun 16 07:12:10 2026
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.293 2026/05/27 22:35:30 wiz Exp $
+# $NetBSD: Makefile,v 1.294 2026/06/16 07:12:10 wiz Exp $
 
 .include "license.mk"
 .include "Makefile.common"
 
 COMMENT=       Practical Extraction and Report Language
-PKGREVISION=   2
+PKGREVISION=   3
 
 CONFLICTS+=    perl-base-[0-9]* perl-thread-[0-9]*
 

Index: pkgsrc/lang/perl5/distinfo
diff -u pkgsrc/lang/perl5/distinfo:1.198 pkgsrc/lang/perl5/distinfo:1.199
--- pkgsrc/lang/perl5/distinfo:1.198    Wed May 27 22:35:30 2026
+++ pkgsrc/lang/perl5/distinfo  Tue Jun 16 07:12:10 2026
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.198 2026/05/27 22:35:30 wiz Exp $
+$NetBSD: distinfo,v 1.199 2026/06/16 07:12:10 wiz Exp $
 
 BLAKE2s (perl-5.42.2.tar.gz) = a2e271ef18aa3cadeed75cf6bf48cfc30b8a9f6675053194f285cd13d97e0791
 SHA512 (perl-5.42.2.tar.gz) = c17925b1146270310fbefd82a98bd94532b499a547f5be005ece204918bfc0034e473a97df643925625a940209f81a65acdd99857b3b18911461571230262c0f
@@ -9,6 +9,7 @@ SHA1 (patch-cpan_Archive-Tar_lib_Archive
 SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__BeOS.pm) = 79e5aeccfa272ca5ec08bffc616d8053ae90ac51
 SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__Unix.pm) = 996556f221eb0c75c316315462bf6cea6746e030
 SHA1 (patch-cpan_ExtUtils-MakeMaker_t_MM__BeOS.t) = 9b0e7ab85fdab4887b1754599a8879bd7d9f36cc
+SHA1 (patch-cpan_Socket_Socket.xs) = 50613ed2966eb389a6816504d339a2a26276b90f
 SHA1 (patch-hints_cygwin.sh) = 5e2e7179336c9bc085bd2e83d22755a235ea1a4a
 SHA1 (patch-hints_linux.sh) = 4baa8f80695687abb53d4f4e1830cf86db5b2bf7
 SHA1 (patch-hints_netbsd.sh) = cb498170c18f1f429eed9be245cd1df24c7ad628

Added files:

Index: pkgsrc/lang/perl5/patches/patch-cpan_Socket_Socket.xs
diff -u /dev/null pkgsrc/lang/perl5/patches/patch-cpan_Socket_Socket.xs:1.3
--- /dev/null   Tue Jun 16 07:12:10 2026
+++ pkgsrc/lang/perl5/patches/patch-cpan_Socket_Socket.xs       Tue Jun 16 07:12:10 2026
@@ -0,0 +1,144 @@
+$NetBSD: patch-cpan_Socket_Socket.xs,v 1.3 2026/06/16 07:12:10 wiz Exp $
+
+Pull security fix from 2.041
+
+[BUGFIXES]
+* Fix reuse of `STRLEN len` variable in pack_ip_mreq_source()
+
+https://github.com/Perl/perl5/commit/de19a0b0ad1900fef976c5c1400bd8f11ec6c6cb.patch
+
+--- cpan/Socket/Socket.xs.orig 2026-01-18 17:50:03.000000000 +0000
++++ cpan/Socket/Socket.xs
+@@ -1272,26 +1272,35 @@ pack_ip_mreq(multiaddr, interface=&PL_sv_undef)
+         struct ip_mreq mreq;
+         char * multiaddrbytes;
+         char * interfacebytes;
+-        STRLEN len;
+-        if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1))
+-            croak("Wide character in %s", "Socket::pack_ip_mreq");
+-        multiaddrbytes = SvPVbyte(multiaddr, len);
+-        if (len != sizeof(mreq.imr_multiaddr))
+-            croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
+-                    "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr));
++
++        {
++            if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1))
++                croak("Wide character in %s", "Socket::pack_ip_mreq");
++
++            STRLEN len;
++            multiaddrbytes = SvPVbyte(multiaddr, len);
++            if (len != sizeof(mreq.imr_multiaddr))
++                croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
++                        "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr));
++        }
++
+         Zero(&mreq, sizeof(mreq), char);
+         Copy(multiaddrbytes, &mreq.imr_multiaddr, sizeof(mreq.imr_multiaddr), char);
+         if(SvOK(interface)) {
+             if (DO_UTF8(interface) && !sv_utf8_downgrade(interface, 1))
+                 croak("Wide character in %s", "Socket::pack_ip_mreq");
++
++            STRLEN len;
+             interfacebytes = SvPVbyte(interface, len);
+             if (len != sizeof(mreq.imr_interface))
+                 croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
+                         "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_interface));
++
+             Copy(interfacebytes, &mreq.imr_interface, sizeof(mreq.imr_interface), char);
+         }
+         else
+             mreq.imr_interface.s_addr = INADDR_ANY;
++
+         ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq)));
+ #else
+         not_here("pack_ip_mreq");
+@@ -1331,25 +1340,38 @@ pack_ip_mreq_source(multiaddr, source, interface=&PL_s
+         char * multiaddrbytes;
+         char * sourcebytes;
+         char * interfacebytes;
+-        STRLEN len;
+-        if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1))
+-            croak("Wide character in %s", "Socket::pack_ip_mreq_source");
+-        multiaddrbytes = SvPVbyte(multiaddr, len);
+-        if (len != sizeof(mreq.imr_multiaddr))
+-            croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
+-                    "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr));
+-        if (DO_UTF8(source) && !sv_utf8_downgrade(source, 1))
+-            croak("Wide character in %s", "Socket::pack_ip_mreq_source");
+-        if (len != sizeof(mreq.imr_sourceaddr))
+-            croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
+-                    "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_sourceaddr));
+-        sourcebytes = SvPVbyte(source, len);
++
++        {
++            if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1))
++                croak("Wide character in %s", "Socket::pack_ip_mreq_source");
++
++            STRLEN len;
++            multiaddrbytes = SvPVbyte(multiaddr, len);
++            if (len != sizeof(mreq.imr_multiaddr))
++                croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
++                        "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr));
++        }
++
++        {
++            if (DO_UTF8(source) && !sv_utf8_downgrade(source, 1))
++                croak("Wide character in %s", "Socket::pack_ip_mreq_source");
++
++            STRLEN len;
++            sourcebytes = SvPVbyte(source, len);
++            if (len != sizeof(mreq.imr_sourceaddr))
++                croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
++                        "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_sourceaddr));
++        }
++
+         Zero(&mreq, sizeof(mreq), char);
+         Copy(multiaddrbytes, &mreq.imr_multiaddr, sizeof(mreq.imr_multiaddr), char);
+         Copy(sourcebytes, &mreq.imr_sourceaddr, sizeof(mreq.imr_sourceaddr), char);
++
+         if(SvOK(interface)) {
+             if (DO_UTF8(interface) && !sv_utf8_downgrade(interface, 1))
+                 croak("Wide character in %s", "Socket::pack_ip_mreq");
++
++            STRLEN len;
+             interfacebytes = SvPVbyte(interface, len);
+             if (len != sizeof(mreq.imr_interface))
+                 croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
+@@ -1358,6 +1380,7 @@ pack_ip_mreq_source(multiaddr, source, interface=&PL_s
+         }
+         else
+             mreq.imr_interface.s_addr = INADDR_ANY;
++
+         ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq)));
+ #else
+         PERL_UNUSED_VAR(multiaddr);
+@@ -1398,16 +1421,22 @@ pack_ipv6_mreq(multiaddr, ifindex)
+ #ifdef HAS_IPV6_MREQ
+         struct ipv6_mreq mreq;
+         char * multiaddrbytes;
+-        STRLEN len;
+-        if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1))
+-            croak("Wide character in %s", "Socket::pack_ipv6_mreq");
+-        multiaddrbytes = SvPVbyte(multiaddr, len);
+-        if (len != sizeof(mreq.ipv6mr_multiaddr))
+-            croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
+-                    "Socket::pack_ipv6_mreq", (UV)len, (UV)sizeof(mreq.ipv6mr_multiaddr));
++
++        {
++            if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1))
++                croak("Wide character in %s", "Socket::pack_ipv6_mreq");
++
++            STRLEN len;
++            multiaddrbytes = SvPVbyte(multiaddr, len);
++            if (len != sizeof(mreq.ipv6mr_multiaddr))
++                croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf,
++                        "Socket::pack_ipv6_mreq", (UV)len, (UV)sizeof(mreq.ipv6mr_multiaddr));
++        }
++
+         Zero(&mreq, sizeof(mreq), char);
+         Copy(multiaddrbytes, &mreq.ipv6mr_multiaddr, sizeof(mreq.ipv6mr_multiaddr), char);
+         mreq.ipv6mr_interface = ifindex;
++
+         ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq)));
+ #else
+         PERL_UNUSED_VAR(multiaddr);



Home | Main Index | Thread Index | Old Index