head 1.3; access; symbols pkgsrc-2026Q2:1.3.0.2 pkgsrc-2026Q2-base:1.3 pkgsrc-2016Q1:1.1.0.18 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.16 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.14 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.12 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.10 pkgsrc-2015Q1-base:1.1 pkgsrc-2014Q4:1.1.0.8 pkgsrc-2014Q4-base:1.1 pkgsrc-2014Q3:1.1.0.6 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.4 pkgsrc-2014Q2-base:1.1 pkgsrc-2014Q1:1.1.0.2 pkgsrc-2014Q1-base:1.1; locks; strict; comment @# @; 1.3 date 2026.06.16.07.12.10; author wiz; state Exp; branches; next 1.2; commitid 2KuIj1XGrpszAZJG; 1.2 date 2016.06.08.17.39.30; author he; state dead; branches; next 1.1; commitid 4aUkilwinseEHG9z; 1.1 date 2014.03.14.22.41.10; author ryoon; state Exp; branches; next ; commitid O9eObkw1oZDyDIsx; desc @@ 1.3 log @perl: fix security issue in Socket module Using upstream patch. Bump PKGREVISION. @ text @$NetBSD$ Pull security fix from 2.041 [BUGFIXES] * Fix reuse of `STRLEN len` variable in pack_ip_mreq_source() https://github.com/Perl/perl5/commit/de19a0b0ad1900fef976c5c1400bd8f11ec6c6cb.patch --- cpan/Socket/Socket.xs.orig 2026-01-18 17:50:03.000000000 +0000 +++ cpan/Socket/Socket.xs @@@@ -1272,26 +1272,35 @@@@ pack_ip_mreq(multiaddr, interface=&PL_sv_undef) struct ip_mreq mreq; char * multiaddrbytes; char * interfacebytes; - STRLEN len; - if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) - croak("Wide character in %s", "Socket::pack_ip_mreq"); - multiaddrbytes = SvPVbyte(multiaddr, len); - if (len != sizeof(mreq.imr_multiaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); + + { + if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) + croak("Wide character in %s", "Socket::pack_ip_mreq"); + + STRLEN len; + multiaddrbytes = SvPVbyte(multiaddr, len); + if (len != sizeof(mreq.imr_multiaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); + } + Zero(&mreq, sizeof(mreq), char); Copy(multiaddrbytes, &mreq.imr_multiaddr, sizeof(mreq.imr_multiaddr), char); if(SvOK(interface)) { if (DO_UTF8(interface) && !sv_utf8_downgrade(interface, 1)) croak("Wide character in %s", "Socket::pack_ip_mreq"); + + STRLEN len; interfacebytes = SvPVbyte(interface, len); if (len != sizeof(mreq.imr_interface)) croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_interface)); + Copy(interfacebytes, &mreq.imr_interface, sizeof(mreq.imr_interface), char); } else mreq.imr_interface.s_addr = INADDR_ANY; + ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq))); #else not_here("pack_ip_mreq"); @@@@ -1331,25 +1340,38 @@@@ pack_ip_mreq_source(multiaddr, source, interface=&PL_s char * multiaddrbytes; char * sourcebytes; char * interfacebytes; - STRLEN len; - if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) - croak("Wide character in %s", "Socket::pack_ip_mreq_source"); - multiaddrbytes = SvPVbyte(multiaddr, len); - if (len != sizeof(mreq.imr_multiaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); - if (DO_UTF8(source) && !sv_utf8_downgrade(source, 1)) - croak("Wide character in %s", "Socket::pack_ip_mreq_source"); - if (len != sizeof(mreq.imr_sourceaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_sourceaddr)); - sourcebytes = SvPVbyte(source, len); + + { + if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) + croak("Wide character in %s", "Socket::pack_ip_mreq_source"); + + STRLEN len; + multiaddrbytes = SvPVbyte(multiaddr, len); + if (len != sizeof(mreq.imr_multiaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); + } + + { + if (DO_UTF8(source) && !sv_utf8_downgrade(source, 1)) + croak("Wide character in %s", "Socket::pack_ip_mreq_source"); + + STRLEN len; + sourcebytes = SvPVbyte(source, len); + if (len != sizeof(mreq.imr_sourceaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_sourceaddr)); + } + Zero(&mreq, sizeof(mreq), char); Copy(multiaddrbytes, &mreq.imr_multiaddr, sizeof(mreq.imr_multiaddr), char); Copy(sourcebytes, &mreq.imr_sourceaddr, sizeof(mreq.imr_sourceaddr), char); + if(SvOK(interface)) { if (DO_UTF8(interface) && !sv_utf8_downgrade(interface, 1)) croak("Wide character in %s", "Socket::pack_ip_mreq"); + + STRLEN len; interfacebytes = SvPVbyte(interface, len); if (len != sizeof(mreq.imr_interface)) croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, @@@@ -1358,6 +1380,7 @@@@ pack_ip_mreq_source(multiaddr, source, interface=&PL_s } else mreq.imr_interface.s_addr = INADDR_ANY; + ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq))); #else PERL_UNUSED_VAR(multiaddr); @@@@ -1398,16 +1421,22 @@@@ pack_ipv6_mreq(multiaddr, ifindex) #ifdef HAS_IPV6_MREQ struct ipv6_mreq mreq; char * multiaddrbytes; - STRLEN len; - if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) - croak("Wide character in %s", "Socket::pack_ipv6_mreq"); - multiaddrbytes = SvPVbyte(multiaddr, len); - if (len != sizeof(mreq.ipv6mr_multiaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ipv6_mreq", (UV)len, (UV)sizeof(mreq.ipv6mr_multiaddr)); + + { + if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) + croak("Wide character in %s", "Socket::pack_ipv6_mreq"); + + STRLEN len; + multiaddrbytes = SvPVbyte(multiaddr, len); + if (len != sizeof(mreq.ipv6mr_multiaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ipv6_mreq", (UV)len, (UV)sizeof(mreq.ipv6mr_multiaddr)); + } + Zero(&mreq, sizeof(mreq), char); Copy(multiaddrbytes, &mreq.ipv6mr_multiaddr, sizeof(mreq.ipv6mr_multiaddr), char); mreq.ipv6mr_interface = ifindex; + ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq))); #else PERL_UNUSED_VAR(multiaddr); @ 1.2 log @Update perl to version 5.24.0. Pkgsrc changes: * Add candidate fix from https://rt.cpan.org/Public/Bug/Display.html?id=72467 * Remove patches which have been integrated upstream * Rename and re-mould some patches which required adjustments http://perlnews.org/2016/05/perl-5-24-released/ has pointer to more details and says: May 9 2016 Perl 5.24.0 has been released. You can read about the changes which include: Postfix dereferencing is no longer experimental Unicode 8.0 is now supported The autoderef feature has been removed Perl 5.24.0 represents approximately 11 months of development since Perl 5.22.0 and contains approximately 360,000 lines of changes across 1,800 files from 77 authors. @ text @d1 1 a1 1 $NetBSD: patch-cpan_Socket_Socket.xs,v 1.1 2014/03/14 22:41:10 ryoon Exp $ d3 1 a3 1 * Fix build under SCO OpenServer 5.0.7/3.2 d5 6 a10 1 --- cpan/Socket/Socket.xs.orig 2014-01-06 22:46:43.000000000 +0000 d12 133 a144 11 @@@@ -75,6 +75,10 @@@@ NETINET_DEFINE_CONTEXT # define INADDR_LOOPBACK 0x7F000001 #endif /* INADDR_LOOPBACK */ +#if !defined(INET_ADDRSTRLEN) +#define INET_ADDRSTRLEN 16 +#endif + #ifndef C_ARRAY_LENGTH #define C_ARRAY_LENGTH(arr) (sizeof(arr) / sizeof(*(arr))) #endif /* !C_ARRAY_LENGTH */ @ 1.1 log @Fix build under SCO OpenServer 5.0.7/3.2 and add workaround for empty result of nl_langinfo(CODESET). This workaround is needed for devel/gtexinfo. @ text @d1 1 a1 1 $NetBSD$ @