Re: Perl PR: "Security holes in Sys::Syslog"

Dave Mitchell <davem@iabyn.com> wrote:
:On Wed, Nov 30, 2005 at 10:15:03AM +0100, Rafael Garcia-Suarez wrote:
:> 2. Moreover, this kind of vulnerability can be exploited
:>    to a buffer overrun in the perl interpreter, by taking
:>    advantage of an int<->unsigned int conversion bug in the
:>    printf handling code
:
:Fixed by the change below.
[...]
:==== //depot/perl/sv.c#1028 (text) ====
:
:@@ -8359,9 +8359,10 @@
: 
: 	if (vectorize)
: 	    argsv = vecsv;
:-	else if (!args)
:-	    argsv = (efix ? efix <= svmax : svix < svmax) ?
:-		    svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
:+	else if (!args) {
:+	    I32 i = efix ? efix-1 : svix++;
:+	    argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
:+	}
: 
: 	switch (c = *q++) {

If (!efix && svix >= svmax) this will now svix++ where it didn't before.
I can't offhand think of a way this could cause problems - I assume you
can't construct an [IU]V_MAX argument list - but it seems worth flagging.

Hugo

• Perl PR: "Security holes in Sys::Syslog" by Andy Lester
• Re: Perl PR: "Security holes in Sys::Syslog" by dreamwvr
• Re: Perl PR: "Security holes in Sys::Syslog" by Dave Mitchell
• Re: Perl PR: "Security holes in Sys::Syslog" by Nicholas Clark
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• [PATCH] Disable constant folding of sprintf by Gisle Aas
• Re: [PATCH] Disable constant folding of sprintf by hv
• Re: [PATCH] Disable constant folding of sprintf by Nicholas Clark
• Re: [PATCH] Disable constant folding of sprintf by Andy Lester
• Re: [PATCH] Disable constant folding of sprintf by Steve Peters
• Re: [PATCH] Disable constant folding of sprintf by Rafael Garcia-Suarez
• Re: Perl PR: "Security holes in Sys::Syslog" by Rafael Garcia-Suarez
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• Re: Perl PR: "Security holes in Sys::Syslog" by Ronald J Kimball
• RE: Perl PR: "Security holes in Sys::Syslog" by Jan Dubois
• Re: Perl PR: "Security holes in Sys::Syslog" by Ronald J Kimball
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• Re: Perl PR: "Security holes in Sys::Syslog" by Rafael Garcia-Suarez
• sprintf patches by Andy Lester
• Re: sprintf patches by Rafael Garcia-Suarez
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Brendan O'Dea
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by H.Merijn Brand
• Re: sprintf patches by Steve Peters
• Re: sprintf patches by Jason Vas Dias
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Brendan O'Dea
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Dominic Dunlop
• Re: sprintf patches by Dominic Dunlop
• Re: sprintf patches by Dominic Dunlop
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Andrew Dougherty
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Dominic Dunlop
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Steve Hay
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Steve Hay
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Andy Dougherty
• Re: sprintf patches by Dominic Dunlop
• Re: sprintf patches by Nicholas Clark
• Re: sprintf patches by Andy Dougherty
• RE: Perl PR: "Security holes in Sys::Syslog" by Jan Dubois
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• RE: Perl PR: "Security holes in Sys::Syslog" by Jan Dubois
• Re: Perl PR: "Security holes in Sys::Syslog" by Ronald J Kimball
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• Re: Perl PR: "Security holes in Sys::Syslog" by Rafael Garcia-Suarez
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• Re: Perl PR: "Security holes in Sys::Syslog" by Dave Mitchell
• Re: Perl PR: "Security holes in Sys::Syslog" by hv
• Re: Perl PR: "Security holes in Sys::Syslog" by Nicholas Clark
• Re: Perl PR: "Security holes in Sys::Syslog" by hv
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• Re: Perl PR: "Security holes in Sys::Syslog" by Andy Lester
• Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• [patch] Re: Perl PR: "Security holes in Sys::Syslog" by Philippe M. Chiasson
• Re: [patch] Re: Perl PR: "Security holes in Sys::Syslog" by Allen Smith
• Re: [patch] Re: Perl PR: "Security holes in Sys::Syslog" by Rafael Garcia-Suarez
• Re: [patch] Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• [PATCH] Re: Perl PR: "Security holes in Sys::Syslog" by Gisle Aas
• RE: [PATCH] Re: Perl PR: "Security holes in Sys::Syslog" by Jan Dubois
• Re: [PATCH] Re: Perl PR: "Security holes in Sys::Syslog" by Rafael Garcia-Suarez
• Re: [PATCH] Re: Perl PR: "Security holes in Sys::Syslog" by Nicholas Clark
• RE: [PATCH] Re: Perl PR: "Security holes in Sys::Syslog" by Jan Dubois
• Re: [PATCH] Re: Perl PR: "Security holes in Sys::Syslog" by Rafael Garcia-Suarez
• Re: [PATCH] Re: Perl PR: "Security holes in Sys::Syslog" by Rafael Garcia-Suarez
• [PATCH] Suppress "0b" prefix for sprintf("%#b", 0) by Gisle Aas
• Re: Perl PR: "Security holes in Sys::Syslog" by Adriano Ferreira