Version in base suite: 3.08-1+deb11u1 Base version: libencode-perl_3.08-1+deb11u1 Target version: libencode-perl_3.08-1+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libe/libencode-perl/libencode-perl_3.08-1+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libe/libencode-perl/libencode-perl_3.08-1+deb11u2.dsc changelog | 10 ++++ patches/rt_139622_memory-leak.patch | 82 ++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 93 insertions(+) diff -Nru libencode-perl-3.08/debian/changelog libencode-perl-3.08/debian/changelog --- libencode-perl-3.08/debian/changelog 2021-08-06 18:49:32.000000000 +0000 +++ libencode-perl-3.08/debian/changelog 2021-11-01 15:15:54.000000000 +0000 @@ -1,3 +1,13 @@ +libencode-perl (3.08-1+deb11u2) bullseye; urgency=medium + + * Fix memory leak. + Add patch rt_139622_memory-leak.patch, taken from upstream releases 3.13, + 3.14, 3.15 to fix a memory leak in Encode.xs. + Cf. https://rt.cpan.org/Ticket/Display.html?id=139622 + (Closes: #995804) + + -- gregor herrmann Mon, 01 Nov 2021 16:15:54 +0100 + libencode-perl (3.08-1+deb11u1) bullseye-security; urgency=high * [SECURITY] CVE-2021-36770: Encode loading code from working directory diff -Nru libencode-perl-3.08/debian/patches/rt_139622_memory-leak.patch libencode-perl-3.08/debian/patches/rt_139622_memory-leak.patch --- libencode-perl-3.08/debian/patches/rt_139622_memory-leak.patch 1970-01-01 00:00:00.000000000 +0000 +++ libencode-perl-3.08/debian/patches/rt_139622_memory-leak.patch 2021-11-01 15:15:54.000000000 +0000 @@ -0,0 +1,82 @@ +Description: Fix memory leak +Origin: upstream releases 3.13, 3.14, 3.15 +Bug-Debian: https://bugs.debian.org/995804 +Bug: https://rt.cpan.org/Ticket/Display.html?id=139622 +Reviewed-by: gregor herrmann +Last-Update: 2021-11-01 + +--- a/Encode.xs ++++ b/Encode.xs +@@ -154,7 +154,7 @@ encode_method(pTHX_ const encode_t * enc + STRLEN sdone = 0; + /* We allocate slen+1. + PerlIO dumps core if this value is smaller than this. */ +- SV *dst = newSV(slen+1); ++ SV *dst = sv_2mortal(newSV(slen+1)); + U8 *d = (U8 *)SvPVX(dst); + STRLEN dlen = SvLEN(dst)-1; + int code = 0; +@@ -810,13 +810,12 @@ CODE: + tmp = encode_method(aTHX_ enc, enc->t_utf8, src, s, slen, check, + &offset, term, &code, fallback_cb); + sv_catsv(dst, tmp); +- SvREFCNT_dec(tmp); + SvIV_set(off, (IV)offset); + RETVAL = (code == ENCODE_FOUND_TERM); + OUTPUT: + RETVAL + +-SV * ++void + Method_decode(obj,src,check_sv = &PL_sv_no) + SV * obj + SV * src +@@ -828,6 +827,7 @@ PREINIT: + encode_t *enc; + U8 *s; + STRLEN slen; ++ SV *ret; + INIT: + SvGETMAGIC(src); + SvGETMAGIC(check_sv); +@@ -841,13 +841,13 @@ CODE: + s = modify ? (U8 *)SvPV_force_nomg(src, slen) : (U8 *)SvPV_nomg(src, slen); + if (SvUTF8(src)) + utf8_safe_downgrade(aTHX_ &src, &s, &slen, modify); +- RETVAL = encode_method(aTHX_ enc, enc->t_utf8, src, s, slen, check, ++ ret = encode_method(aTHX_ enc, enc->t_utf8, src, s, slen, check, + NULL, Nullsv, NULL, fallback_cb); +- SvUTF8_on(RETVAL); +-OUTPUT: +- RETVAL ++ SvUTF8_on(ret); ++ ST(0) = ret; ++ XSRETURN(1); + +-SV * ++void + Method_encode(obj,src,check_sv = &PL_sv_no) + SV * obj + SV * src +@@ -859,6 +859,7 @@ PREINIT: + encode_t *enc; + U8 *s; + STRLEN slen; ++ SV *ret; + INIT: + SvGETMAGIC(src); + SvGETMAGIC(check_sv); +@@ -872,10 +873,10 @@ CODE: + s = modify ? (U8 *)SvPV_force_nomg(src, slen) : (U8 *)SvPV_nomg(src, slen); + if (!SvUTF8(src)) + utf8_safe_upgrade(aTHX_ &src, &s, &slen, modify); +- RETVAL = encode_method(aTHX_ enc, enc->f_utf8, src, s, slen, check, ++ ret = encode_method(aTHX_ enc, enc->f_utf8, src, s, slen, check, + NULL, Nullsv, NULL, fallback_cb); +-OUTPUT: +- RETVAL ++ ST(0) = ret; ++ XSRETURN(1); + + bool + Method_needs_lines(obj) diff -Nru libencode-perl-3.08/debian/patches/series libencode-perl-3.08/debian/patches/series --- libencode-perl-3.08/debian/patches/series 2021-08-06 18:49:32.000000000 +0000 +++ libencode-perl-3.08/debian/patches/series 2021-11-01 15:15:54.000000000 +0000 @@ -1 +1,2 @@ 0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch +rt_139622_memory-leak.patch