Storable 3.12_03: fix Limit security issue #393

User limits must not be higher than the probed limits,
even pst data might override these limits.
Disallow blessing pst data into the Storable package.

Protect against setting these via the PST also,
the most common attack vector. i.e. hooks may not change
these two limits, neither is it now allowed to retrieve
from a class Storable or store to a class Storable.

Re-add the probed hard limits in stacksize.h, on violations
reset the read-write soft limits.
Check on Storable init and on every possible change via
user-code or data.

Author: rurban

MANIFEST

@@ -3643,6 +3643,7 @@ dist/Storable/hints/linux.pl		Hint for Storable for named architecture
 dist/Storable/Makefile.PL		Storable extension
 dist/Storable/README			Storable extension
 dist/Storable/stacksize			compute stack sizes
+dist/Storable/stacksize_in.h		initial computed stack sizes template
 dist/Storable/Storable.xs		Storable extension
 dist/Storable/Storable_pm.PL		Storable extension
 dist/Storable/t/attach.t		Check STORABLE_attach doesn't create objects unnecessarily

Porting/Maintainers.pl

@@ -1283,7 +1283,7 @@ package Maintainers;
     },
 
     'Storable' => {
-        'DISTRIBUTION' => 'RURBAN/Storable-3.12_02.tar.gz',
+        'DISTRIBUTION' => 'RURBAN/Storable-3.12_03.tar.gz',
         'FILES'        => q[dist/Storable],
         'EXCLUDED'     => [
             qw( ptr_table.h t/leaks_refcnt.t .travis.yml appveyor.yml ),

dist/.gitignore

@@ -6,6 +6,7 @@ pm_to_blib
 Makefile
 Makefile.PL
 ppport.h
+Storable/stacksize.h
 Storable/storable-testfile.*
 Storable/Storable.pm
 Storable/lib/Storable/Limit.pm

dist/Module-CoreList/lib/Module/CoreList.pm

@@ -18338,6 +18338,7 @@ our %delta :const = (
             'B::Op_private'         => '5.026005',
             'Module::CoreList'      => '5.20190301c',
             'Module::CoreList::Utils'=> '5.20190301c',
+            'Storable'              => '3.12_03',
         }
   }
 );

dist/Storable/ChangeLog

@@ -1,3 +1,24 @@
+2019-03-01 rurban
+    Version 3.12_03
+        * SECURITY: fix p5p-introduced user stacklimits. Must not be higher
+        than the probed hard limits, when overridden by user code or data,
+        via hooks or even pst data. [cperl #393]
+        * Add some author tests as t/z_*.t, add LICENSE and MANIFEST.SKIP
+
+2018-10-17 rurban
+    Version 3.12_02
+        * SECURITY: Enable >2GB AvFILL check on store_hook (64bit).
+        Too many references returned by STORABLE_freeze.
+        It wrapped around previously. Fixes Coverity CID #187854.
+        This is a security issue on 64bit cperl and perl5, as both allow
+        SSize_t arrays.
+        * Move __Storable__.pm into Storable_pm.PL [cperl #374]
+
+2018-09-05 rurban
+    Version 3.11_01
+        * re-add various minor cperl fixes: protect empty hvname,
+        fixup pod, t/recurse.t
+
 2018-04-27 20:40:00 xsawyerx
     version 3.11
         * Fix Strawberry Perl build failures.

dist/Storable/Makefile.PL

@@ -1,6 +1,6 @@
 #
 #  Copyright (c) 1995-2000, Raphael Manfredi
-#  Copyright (c) 2017-2018, Reini Urban
+#  Copyright (c) 2017-2019, Reini Urban
 #  
 #  You may redistribute only under the same terms as Perl 5, as specified
 #  in the README file that comes with the distribution.
@@ -13,6 +13,8 @@ use Config;
 use File::Copy qw(move copy);
 use File::Spec;
 
+my ($fn, $in) = ("stacksize.h", "stacksize_in.h");
+copy $in, $fn;
 unlink "lib/Storable/Limit.pm";
 
 my $limit_pm = File::Spec->catfile('lib', 'Storable', 'Limit.pm');
@@ -25,29 +27,45 @@ unless ($ENV{PERL_CORE}) {
 
 WriteMakefile(
     NAME            => 'Storable',
-    AUTHOR          => 'Perl 5 Porters',
+    AUTHOR          => 'Reini Urban',
     LICENSE         => 'perl',
     DISTNAME        => "Storable",
     PL_FILES        => { }, # prevent default behaviour
     PM              => $pm,
-    PREREQ_PM       => { XSLoader => 0 },
+    PREREQ_PM       => { XSLoader => 0, perl => '5.004' },
     INSTALLDIRS     => ($] >= 5.007 && $] < 5.012) ? 'perl' : 'site',
     VERSION_FROM    => 'Storable_pm.PL',
     ABSTRACT_FROM   => 'Storable_pm.PL',
     ($ExtUtils::MakeMaker::VERSION > 6.45 ?
      (META_MERGE    => { resources =>
-                          { bugtracker => 'http://rt.perl.org/perlbug/' },
-                            provides    => {
-                                'Storable'  => {
-                                    file        => '__Storable__.pm',
-                                    version     => MM->parse_version('__Storable__.pm'),
-                                },
-                            },
-
+                         { bugtracker => 'http://rt.perl.org/perlbug/',
+                           repository => 'https://github.com/rurban/Storable/',
+                         },
+                         provides => {
+                           'Storable'  => {
+                             file        => 'Storable_pm.PL',
+                             version     => MM->parse_version('Storable_pm.PL'),
                            },
-    ) : ()),
+                         },
+                         recommends => {
+                           'Test::Kwalitee'      => '1.00',
+                           'Test::CheckManifest' => '1.42',
+                           'Test::CPAN::Meta'    => 0,
+                           'Pod::Spell::CommonMistakes' => 0,
+                           'Test::Spelling'      => 0,
+                           'Test::Pod'           => 0,
+                           'Devel::Refcount'     => 0,
+                         }
+      },
+     ) : ()),
+    ($ExtUtils::MakeMaker::VERSION >= 6.64 ?
+     (TEST_REQUIRES => {
+        'Test::More'          => '0.82', # for t/malice.t using note()
+      }
+     ) : ()),
     dist            => { SUFFIX => 'gz', COMPRESS => 'gzip -f' },
-    clean           => { FILES => 'Storable-* Storable.pm lib' },
+    clean           => { FILES => 'Storable-* Storable.pm stacksize.h lib' },
+    SIGN            => 1,
 );
 
 # Unlink the .pm file included with the distribution
@@ -77,37 +95,41 @@ EOM
 package MY;
 use Config;
 
-# FORCE finish of INST_DYNAMIC, avoid loading the old Storable (failed XS_VERSION check)
-sub xlinkext {
-    my $s = shift->SUPER::linkext(@_);
-    $s =~ s|( :: .*)| $1 FORCE stacksize|;
-    $s
-}
-
 sub depend {
     my $extra_deps = "";
     my $options = "";
-    if ($ENV{PERL_CORE}) {
-        $options = "--core";
-    }
-    else {
-        # blib.pm needs arch/lib
-        $extra_deps = ' Storable.pm';
-    }
+    my $mkblib = '';
     my $linktype = uc($_[0]->{LINKTYPE});
+    my $s;
     # EUMM bug for core builds, missing ldlibpthname
-    my $s = "LDFULLPERLRUNINST = \$(FULLPERLRUNINST)\n";
-    if ($ENV{PERL_CORE} && $Config{useshrplib}) {
+    if ($ENV{PERL_CORE}) {
+      $options = "--core";
+      # $extra_deps = ' $(PERLEXE)' if $^O eq 'MSWin32';
       my $ldlibpthname = $Config{ldlibpthname};
-      if ($ldlibpthname && $ENV{$ldlibpthname}) {
-        $s = "LDFULLPERLRUNINST = $ldlibpthname=$ENV{$ldlibpthname}" .
-          " \$(FULLPERLRUNINST)\n";
+      if ($Config{useshrplib} && $ldlibpthname && $ENV{$ldlibpthname}) {
+          $s = "LDPERLRUNINST = $ldlibpthname=$ENV{$ldlibpthname}" .
+            " \$(FULLPERLRUNINST)\n";
+      } else {
+        $s = "LDPERLRUNINST = \$(FULLPERLRUNINST)\n";
       }
+    } else {
+      # blib.pm needs arch/lib
+      $extra_deps = ' Storable.pm';
+      $s = "LDPERLRUNINST = \$(FULLPERLRUNINST)\n";
+      $mkblib = "-\$(MKPATH) \$(INST_ARCHLIB)\n\t" .
+        "-\$(CHMOD) \$(PERM_RW) \$(INST_ARCHLIB)/Storable.pm\n\t" .
+        "\$(CP) Storable.pm \$(INST_ARCHLIB)/Storable.pm\n\t";
     }
     $s . "
-$limit_pm : stacksize \$(INST_$linktype)$extra_deps
-	\$(MKPATH) \$(INST_LIB)
-	\$(LDFULLPERLRUNINST) stacksize $options
+stacksize: Makefile \$(INST_$linktype)$extra_deps
+	$mkblib\$(LDPERLRUNINST) stacksize $options
+
+Storable\$(OBJ_EXT) Storable.c: stacksize.h
+
+stacksize.h: stacksize_in.h
+	\$(CP) stacksize_in.h stacksize.h
+
+$limit_pm : stacksize
 
 release : dist
 	git tag \$(VERSION)
@@ -136,5 +158,6 @@ all :: Storable.pm
 
 Storable.pm :: Storable_pm.PL
 	$(PERLRUN) Storable_pm.PL
+
 '
 }

dist/Storable/README

@@ -1,9 +1,8 @@
-                         Storable 3.11_01
-               Copyright (c) 1995-2000, Raphael Manfredi
-               Copyright (c) 2001-2004, Larry Wall
-               Copyright (c) 2016,2017 cPanel Inc
-               Copyright (c) 2015-2016 cPanel Inc
-               Copyright (c) 2017-2018 Reini Urban
+                         Storable 3.12_03
+               Copyright (c) 1995-2000 Raphael Manfredi
+               Copyright (c) 2001-2004 Larry Wall
+               Copyright (c) 2015-2017 cPanel Inc
+               Copyright (c) 2017-2019 Reini Urban
                Copyright (c) 2017-2018 by the Perl 5 Porters
 
 ------------------------------------------------------------------------
@@ -74,7 +73,7 @@ Thanks to (in chronological order):
     Albert N. Micheev <Albert.N.Micheev@f80.n5049.z2.fidonet.org>
     Marc Lehmann <pcg@opengroup.org>
     Justin Banks <justinb@wamnet.com>
-    Jarkko Hietaniemi <jhi@iki.fi> (AGAIN, as perl 5.7.0 Pumpkin!)
+    Jarkko Hietaniemi <jhi@iki.fi> (AGAIN, as perl 5.7.0 Pumpkin)
     Todd Rinaldo <toddr@cpanel.net> and JD Lightsey <jd@cpanel.net>
       for optional disabling tie and bless for increased security.
     Reini Urban <rurban@cpanel.net> for the 3.0x >2G support and rewrite