Apply by doing:
cd /usr/src
patch -p0 < 001_perl.patch
And then rebuild and install perl:
cd gnu/usr.bin/perl
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper depend
make -f Makefile.bsd-wrapper
make -f Makefile.bsd-wrapper install
Index: gnu/usr.bin/perl/globvar.sym
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/globvar.sym,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.24.1
diff -u -p -r1.1.1.1 -r1.1.1.1.24.1
--- gnu/usr.bin/perl/globvar.sym 6 Apr 2000 16:08:36 -0000 1.1.1.1
+++ gnu/usr.bin/perl/globvar.sym 3 Jan 2006 04:22:39 -0000 1.1.1.1.24.1
@@ -66,3 +66,4 @@ vtbl_regdatum
vtbl_collxfrm
vtbl_amagic
vtbl_amagicelem
+memory_wrap
Index: gnu/usr.bin/perl/makedef.pl
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/makedef.pl,v
retrieving revision 1.1.1.7
retrieving revision 1.1.1.7.4.1
diff -u -p -r1.1.1.7 -r1.1.1.7.4.1
--- gnu/usr.bin/perl/makedef.pl 15 Jan 2005 21:16:26 -0000 1.1.1.7
+++ gnu/usr.bin/perl/makedef.pl 3 Jan 2006 04:22:40 -0000 1.1.1.7.4.1
@@ -635,12 +635,6 @@ else {
)];
}
-if ($define{'PERL_MALLOC_WRAP'}) {
- emit_symbols [qw(
- PL_memory_wrap
- )];
-}
-
unless ($define{'USE_5005THREADS'} || $define{'USE_ITHREADS'}) {
skip_symbols [qw(
PL_thr_key
Index: gnu/usr.bin/perl/op.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/op.c,v
retrieving revision 1.10
retrieving revision 1.10.4.1
diff -u -p -r1.10 -r1.10.4.1
--- gnu/usr.bin/perl/op.c 15 Jan 2005 21:30:19 -0000 1.10
+++ gnu/usr.bin/perl/op.c 3 Jan 2006 04:22:40 -0000 1.10.4.1
@@ -2064,7 +2064,6 @@ Perl_fold_constants(pTHX_ register OP *o
/* XXX might want a ck_negate() for this */
cUNOPo->op_first->op_private &= ~OPpCONST_STRICT;
break;
- case OP_SPRINTF:
case OP_UCFIRST:
case OP_LCFIRST:
case OP_UC:
Index: gnu/usr.bin/perl/opcode.h
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/opcode.h,v
retrieving revision 1.8
retrieving revision 1.8.6.1
diff -u -p -r1.8 -r1.8.6.1
--- gnu/usr.bin/perl/opcode.h 9 Aug 2004 18:08:55 -0000 1.8
+++ gnu/usr.bin/perl/opcode.h 3 Jan 2006 04:22:40 -0000 1.8.6.1
@@ -1585,7 +1585,7 @@ EXT U32 PL_opargs[] = {
0x0022281c, /* vec */
0x0122291c, /* index */
0x0122291c, /* rindex */
- 0x0004280f, /* sprintf */
+ 0x0004280d, /* sprintf */
0x00042805, /* formline */
0x0001379e, /* ord */
0x0001378e, /* chr */
Index: gnu/usr.bin/perl/opcode.pl
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/opcode.pl,v
retrieving revision 1.8
retrieving revision 1.8.6.1
diff -u -p -r1.8 -r1.8.6.1
--- gnu/usr.bin/perl/opcode.pl 9 Aug 2004 18:08:55 -0000 1.8
+++ gnu/usr.bin/perl/opcode.pl 3 Jan 2006 04:22:40 -0000 1.8.6.1
@@ -602,7 +602,7 @@ vec vec ck_fun ist@ S S S
index index ck_index isT@ S S S?
rindex rindex ck_index isT@ S S S?
-sprintf sprintf ck_fun mfst@ S L
+sprintf sprintf ck_fun mst@ S L
formline formline ck_fun ms@ S L
ord ord ck_fun ifsTu% S?
chr chr ck_fun fsTu% S?
Index: gnu/usr.bin/perl/patchlevel.h
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/patchlevel.h,v
retrieving revision 1.13
retrieving revision 1.13.4.1
diff -u -p -r1.13 -r1.13.4.1
--- gnu/usr.bin/perl/patchlevel.h 2 Feb 2005 20:13:33 -0000 1.13
+++ gnu/usr.bin/perl/patchlevel.h 3 Jan 2006 04:22:40 -0000 1.13.4.1
@@ -121,6 +121,7 @@ hunk.
static char *local_patches[] = {
NULL
,"SUIDPERLIO1 - fix PERLIO_DEBUG buffer overflow (CAN-2005-0156)"
+ ,"SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962"
,NULL
};
Index: gnu/usr.bin/perl/perl.h
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/perl.h,v
retrieving revision 1.10
retrieving revision 1.10.4.1
diff -u -p -r1.10 -r1.10.4.1
--- gnu/usr.bin/perl/perl.h 15 Jan 2005 21:30:20 -0000 1.10
+++ gnu/usr.bin/perl/perl.h 3 Jan 2006 04:22:40 -0000 1.10.4.1
@@ -3071,10 +3071,8 @@ EXTCONST char PL_no_myglob[]
INIT("\"my\" variable %s can't be in a package");
EXTCONST char PL_no_localize_ref[]
INIT("Can't localize through a reference");
-#ifdef PERL_MALLOC_WRAP
EXTCONST char PL_memory_wrap[]
INIT("panic: memory wrap");
-#endif
EXTCONST char PL_uuemap[65]
INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_");
Index: gnu/usr.bin/perl/sv.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/sv.c,v
retrieving revision 1.10
retrieving revision 1.10.4.2
diff -u -p -r1.10 -r1.10.4.2
--- gnu/usr.bin/perl/sv.c 15 Jan 2005 21:30:22 -0000 1.10
+++ gnu/usr.bin/perl/sv.c 3 Jan 2006 04:22:41 -0000 1.10.4.2
@@ -8606,9 +8606,12 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const cha
if (vectorarg) {
if (args)
vecsv = va_arg(*args, SV*);
- else
- vecsv = (evix ? evix <= svmax : svix < svmax) ?
- svargs[evix ? evix-1 : svix++] : &PL_sv_undef;
+ else if (evix) {
+ vecsv = (evix > 0 && evix <= svmax)
+ ? svargs[evix-1] : &PL_sv_undef;
+ } else {
+ vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef;
+ }
dotstr = SvPVx(vecsv, dotstrlen);
if (DO_UTF8(vecsv))
is_utf8 = TRUE;
@@ -8618,12 +8621,13 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const cha
vecstr = (U8*)SvPVx(vecsv,veclen);
vec_utf8 = DO_UTF8(vecsv);
}
- else if (efix ? efix <= svmax : svix < svmax) {
+ else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) {
vecsv = svargs[efix ? efix-1 : svix++];
vecstr = (U8*)SvPVx(vecsv,veclen);
vec_utf8 = DO_UTF8(vecsv);
}
else {
+ vecsv = &PL_sv_undef;
vecstr = (U8*)"";
veclen = 0;
}
@@ -8724,9 +8728,15 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const cha
if (vectorize)
argsv = vecsv;
- else if (!args)
- argsv = (efix ? efix <= svmax : svix < svmax) ?
- svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
+ else if (!args) {
+ if (efix) {
+ const I32 i = efix-1;
+ argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
+ } else {
+ argsv = (svix >= 0 && svix < svmax)
+ ? svargs[svix++] : &PL_sv_undef;
+ }
+ }
switch (c = *q++) {
@@ -8968,6 +8978,8 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const cha
*--eptr = '0';
break;
case 2:
+ if (!uv)
+ alt = FALSE;
do {
dig = uv & 1;
*--eptr = '0' + dig;
@@ -9270,6 +9282,8 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const cha
/* calculate width before utf8_upgrade changes it */
have = esignlen + zeros + elen;
+ if (have < zeros)
+ Perl_croak_nocontext(PL_memory_wrap);
if (is_utf8 != has_utf8) {
if (is_utf8) {
@@ -9297,6 +9311,8 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const cha
need = (have > width ? have : width);
gap = need - have;
+ if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1))
+ Perl_croak_nocontext(PL_memory_wrap);
SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1);
p = SvEND(sv);
if (esignlen && fill == '0') {