1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
Description: Unsafe use of Storable::thaw
CVE-2015-1592: The Perl Storable::thaw function is not properly used,
allowing remote attackers to include and execute arbitrary local Perl
files and possibly remotely execute arbitrary code.
Origin: upstream
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-03-04
Applied-Upstream: 5.2.12
--- a/lib/MT/App/Upgrader.pm
+++ b/lib/MT/App/Upgrader.pm
@@ -633,7 +633,11 @@ sub unserialize_config {
if ($data) {
$data = pack 'H*', $data;
require MT::Serialize;
- my $ser = MT::Serialize->new('MT');
+ my $ser = MT::Serialize->new('MT');
+ my $ser_ver = $ser->serializer_version($data);
+ if ( !$ser_ver || $ser_ver != $MT::Serialize::SERIALIZER_VERSION ) {
+ die $app->translate('Invalid parameter.');
+ }
my $thawed = $ser->unserialize($data);
if ($thawed) {
my $saved_cfg = $$thawed;
--- a/lib/MT/App/Wizard.pm
+++ b/lib/MT/App/Wizard.pm
@@ -1150,7 +1150,11 @@ sub unserialize_config {
if ($data) {
$data = pack 'H*', $data;
require MT::Serialize;
- my $ser = MT::Serialize->new('MT');
+ my $ser = MT::Serialize->new('MT');
+ my $ser_ver = $ser->serializer_version($data);
+ if ( !$ser_ver || $ser_ver != $MT::Serialize::SERIALIZER_VERSION ) {
+ die $app->translate('Invalid parameter.');
+ }
my $thawed = $ser->unserialize($data);
if ($thawed) {
my $saved_cfg = $$thawed;
--- a/lib/MT/BackupRestore/BackupFileHandler.pm
+++ b/lib/MT/BackupRestore/BackupFileHandler.pm
@@ -340,6 +340,15 @@ sub end_element {
if ( 'blob' eq $defs->{$column_name}->{type} ) {
$text = MIME::Base64::decode_base64($text);
if ( substr( $text, 0, 4 ) eq 'SERG' ) {
+ my $ser_ver
+ = MT::Serialize->serializer_version($text);
+ if ( $ser_ver == 3 ) {
+ my $conf_ver = lc MT->config->Serializer;
+ if ( ( $conf_ver ne 'storable' ) && ( $conf_ver ne 'mts' ) ) {
+ $self->{critical} = 1;
+ die MT->translate('Invalid serializer version was specified.');
+ }
+ }
$text = MT::Serialize->unserialize($text);
}
$obj->$column_name($$text);
@@ -352,6 +361,15 @@ sub end_element {
if ( my $type = $metacolumns->{$column_name} ) {
if ( 'vblob' eq $type ) {
$text = MIME::Base64::decode_base64($text);
+ my $ser_ver
+ = MT::Serialize->serializer_version($text);
+ if ( $ser_ver == 3 ) {
+ my $conf_ver = lc MT->config->Serializer;
+ if ( ( $conf_ver ne 'storable' ) && ( $conf_ver ne 'mts' ) ) {
+ $self->{critical} = 1;
+ die MT->translate('Invalid serializer version was specified.');
+ }
+ }
$text = MT::Serialize->unserialize($text);
$obj->$column_name($$text);
}
--- a/lib/MT/Serialize.pm
+++ b/lib/MT/Serialize.pm
@@ -7,7 +7,8 @@
package MT::Serialize;
use strict;
-our $VERSION = 5;
+our $VERSION = '5';
+our $SERIALIZER_VERSION = '2';
{
my %Types = (
@@ -45,6 +46,24 @@ sub unserialize {
$ser->{thaw}->(@_);
}
+sub serializer_version {
+ my ( $ser, $frozen ) = @_;
+ return undef unless $frozen && substr( $frozen, 0, 4 ) eq 'SERG';
+ my $n = unpack 'N', substr( $frozen, 4, 4 );
+ if ( $n == 0 ) {
+ my $v = unpack 'N', substr( $frozen, 8, 4 );
+ if ( ( $v > 0 ) && ( $v <= $VERSION ) ) {
+ return $v;
+ }
+ else {
+ return undef;
+ }
+ }
+ else {
+ return 1;
+ }
+}
+
sub _freeze_storable { require Storable; Storable::freeze(@_) }
sub _thaw_storable { require Storable; Storable::thaw(@_) }
|
