* bug#27263: Perl CVE-2017-6512 @ 2017-06-06 3:01 Leo Famulari 2017-06-06 3:04 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Leo Famulari 2017-06-06 18:53 ` bug#27263: Perl CVE-2017-6512 Marius Bakke 0 siblings, 2 replies; 9+ messages in thread From: Leo Famulari @ 2017-06-06 3:01 UTC (permalink / raw) To: 27263 [-- Attachment #1: Type: text/plain, Size: 93 bytes --] These patches fix CVE-2017-6512 in perl-file-path and the copy of File::Path in perl itself. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13. 2017-06-06 3:01 bug#27263: Perl CVE-2017-6512 Leo Famulari @ 2017-06-06 3:04 ` Leo Famulari 2017-06-06 3:04 ` bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path Leo Famulari 2017-06-06 23:16 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Ludovic Courtès 2017-06-06 18:53 ` bug#27263: Perl CVE-2017-6512 Marius Bakke 1 sibling, 2 replies; 9+ messages in thread From: Leo Famulari @ 2017-06-06 3:04 UTC (permalink / raw) To: 27263 This fixes CVE-2017-6512. * gnu/packages/perl.scm (perl-file-path): Update to 2.13. --- gnu/packages/perl.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index 812d7548c..e56c80609 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -2986,17 +2986,17 @@ platforms.") (define-public perl-file-path (package (name "perl-file-path") - (version "2.12") + (version "2.13") (source (origin (method url-fetch) (uri (string-append - "mirror://cpan/authors/id/R/RI/RICHE/File-Path-" + "mirror://cpan/authors/id/J/JK/JKEENAN/File-Path-" version ".tar.gz")) (sha256 (base32 - "0znihrlcnlpa0ziml0hkq9s59p1bjd2a6khgx2accdf16w6imxmv")))) + "039gc0i5cbdmidl8j8x195yykwcdmzwawmpapnysvljl8l33jqwj")))) (build-system perl-build-system) (home-page "http://search.cpan.org/dist/File-Path") (synopsis "Create or remove directory trees") -- 2.13.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path. 2017-06-06 3:04 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Leo Famulari @ 2017-06-06 3:04 ` Leo Famulari 2017-06-06 23:18 ` Ludovic Courtès 2017-06-06 23:16 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Ludovic Courtès 1 sibling, 1 reply; 9+ messages in thread From: Leo Famulari @ 2017-06-06 3:04 UTC (permalink / raw) To: 27263 * gnu/packages/perl.scm (perl)[replacement]: New field. (perl/fixed): New variable. * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/perl-file-path-CVE-2017-6512.patch | 173 +++++++++++++++++++++ gnu/packages/perl.scm | 13 ++ 3 files changed, 187 insertions(+) create mode 100644 gnu/packages/patches/perl-file-path-CVE-2017-6512.patch diff --git a/gnu/local.mk b/gnu/local.mk index 4b2bdfe37..ab3fbb2d3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -884,6 +884,7 @@ dist_patch_DATA = \ %D%/packages/patches/pcre-CVE-2017-7186.patch \ %D%/packages/patches/pcre2-CVE-2017-7186.patch \ %D%/packages/patches/pcre2-CVE-2017-8786.patch \ + %D%/packages/patches/perl-file-path-CVE-2017-6512.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ diff --git a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch new file mode 100644 index 000000000..28ab06759 --- /dev/null +++ b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch @@ -0,0 +1,173 @@ +Fix CVE-2017-6512: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512 +https://rt.cpan.org/Public/Bug/Display.html?id=121951 + +Patch copied from Debian, adapted to apply to the copy of File::Path in Perl +5.24.0. + +https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2 +https://anonscm.debian.org/cgit/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=e7b50f8fb6413f8ddfbbfda2d531615fb029e2d3 + +From d760748be0efca7c05454440e24f3df77bf7cf5d Mon Sep 17 00:00:00 2001 +From: John Lightsey <john@nixnuts.net> +Date: Tue, 2 May 2017 12:03:52 -0500 +Subject: Prevent directory chmod race attack. + +CVE-2017-6512 is a race condition attack where the chmod() of directories +that cannot be entered is misused to change the permissions on other +files or directories on the system. This has been corrected by limiting +the directory-permission loosening logic to systems where fchmod() is +supported. + +[Backported (whitespace adjustments) to File-Path 2.12 / perl 5.24 by +Dominic Hargreaves for Debian.] + +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=121951 +Bug-Debian: https://bugs.debian.org/863870 +Patch-Name: fixes/file_path_chmod_race.diff +--- + cpan/File-Path/lib/File/Path.pm | 39 +++++++++++++++++++++++++-------------- + cpan/File-Path/t/Path.t | 40 ++++++++++++++++++++++++++-------------- + 2 files changed, 51 insertions(+), 28 deletions(-) + +diff --git a/cpan/File-Path/lib/File/Path.pm b/cpan/File-Path/lib/File/Path.pm +index 034da1e..a824cc8 100644 +--- a/cpan/File-Path/lib/File/Path.pm ++++ b/cpan/File-Path/lib/File/Path.pm +@@ -354,21 +354,32 @@ sub _rmtree { + + # see if we can escalate privileges to get in + # (e.g. funny protection mask such as -w- instead of rwx) +- $perm &= oct '7777'; +- my $nperm = $perm | oct '700'; +- if ( +- !( +- $arg->{safe} +- or $nperm == $perm +- or chmod( $nperm, $root ) +- ) +- ) +- { +- _error( $arg, +- "cannot make child directory read-write-exec", $canon ); +- next ROOT_DIR; ++ # This uses fchmod to avoid traversing outside of the proper ++ # location (CVE-2017-6512) ++ my $root_fh; ++ if (open($root_fh, '<', $root)) { ++ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1]; ++ $perm &= oct '7777'; ++ my $nperm = $perm | oct '700'; ++ local $@; ++ if ( ++ !( ++ $arg->{safe} ++ or $nperm == $perm ++ or !-d _ ++ or $fh_dev ne $ldev ++ or $fh_inode ne $lino ++ or eval { chmod( $nperm, $root_fh ) } ++ ) ++ ) ++ { ++ _error( $arg, ++ "cannot make child directory read-write-exec", $canon ); ++ next ROOT_DIR; ++ } ++ close $root_fh; + } +- elsif ( !chdir($root) ) { ++ if ( !chdir($root) ) { + _error( $arg, "cannot chdir to child", $canon ); + next ROOT_DIR; + } +diff --git a/cpan/File-Path/t/Path.t b/cpan/File-Path/t/Path.t +index ff52fd6..956ca09 100644 +--- a/cpan/File-Path/t/Path.t ++++ b/cpan/File-Path/t/Path.t +@@ -3,7 +3,7 @@ + + use strict; + +-use Test::More tests => 127; ++use Test::More tests => 126; + use Config; + use Fcntl ':mode'; + use lib 't/'; +@@ -18,6 +18,13 @@ BEGIN { + + my $Is_VMS = $^O eq 'VMS'; + ++my $fchmod_supported = 0; ++if (open my $fh, curdir()) { ++ my ($perm) = (stat($fh))[2]; ++ $perm &= 07777; ++ eval { $fchmod_supported = chmod( $perm, $fh); }; ++} ++ + # first check for stupid permissions second for full, so we clean up + # behind ourselves + for my $perm (0111,0777) { +@@ -299,16 +306,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check"); + + is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef"); + +-$dir = catdir($tmp_base,'G'); +-$dir = VMS::Filespec::unixify($dir) if $Is_VMS; ++SKIP: { ++ skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported; ++ $dir = catdir($tmp_base,'G'); ++ $dir = VMS::Filespec::unixify($dir) if $Is_VMS; + +-@created = mkpath($dir, undef, 0200); ++ @created = mkpath($dir, undef, 0400); + +-is(scalar(@created), 1, "created write-only dir"); ++ is(scalar(@created), 1, "created read-only dir"); + +-is($created[0], $dir, "created write-only directory cross-check"); ++ is($created[0], $dir, "created read-only directory cross-check"); + +-is(rmtree($dir), 1, "removed write-only dir"); ++ is(rmtree($dir), 1, "removed read-only dir"); ++} + + # borderline new-style heuristics + if (chdir $tmp_base) { +@@ -450,26 +460,28 @@ SKIP: { + } + + SKIP : { +- my $skip_count = 19; ++ my $skip_count = 18; + # this test will fail on Windows, as per: + # http://perldoc.perl.org/perlport.html#chmod + + skip "Windows chmod test skipped", $skip_count + if $^O eq 'MSWin32'; ++ skip "fchmod() on directories is not supported on this platform", $skip_count ++ unless $fchmod_supported; + my $mode; + my $octal_mode; + my @inputs = ( +- 0777, 0700, 0070, 0007, +- 0333, 0300, 0030, 0003, +- 0111, 0100, 0010, 0001, +- 0731, 0713, 0317, 0371, 0173, 0137, +- 00 ); ++ 0777, 0700, 0470, 0407, ++ 0433, 0400, 0430, 0403, ++ 0111, 0100, 0110, 0101, ++ 0731, 0713, 0317, 0371, ++ 0173, 0137); + my $input; + my $octal_input; +- $dir = catdir($tmp_base, 'chmod_test'); + + foreach (@inputs) { + $input = $_; ++ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input)); + # We can skip from here because 0 is last in the list. + skip "Mode of 0 means assume user defaults on VMS", 1 + if ($input == 0 && $Is_VMS); diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index e56c80609..6da4bb13f 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -51,6 +51,7 @@ ;; Yeah, Perl... It is required early in the bootstrap process by Linux. (package (name "perl") + (replacement perl/fixed) (version "5.24.0") (source (origin (method url-fetch) @@ -147,6 +148,18 @@ (home-page "http://www.perl.org/") (license gpl1+))) ; or "Artistic" +(define perl/fixed + (package + (inherit perl) + (replacement #f) + (source + (origin + (inherit (package-source perl)) + (patches + (append + (origin-patches (package-source perl)) + (search-patches "perl-file-path-CVE-2017-6512.patch"))))))) + (define-public perl-algorithm-c3 (package (name "perl-algorithm-c3") -- 2.13.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path. 2017-06-06 3:04 ` bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path Leo Famulari @ 2017-06-06 23:18 ` Ludovic Courtès 2017-06-07 15:40 ` Leo Famulari 2017-06-07 16:17 ` Leo Famulari 0 siblings, 2 replies; 9+ messages in thread From: Ludovic Courtès @ 2017-06-06 23:18 UTC (permalink / raw) To: Leo Famulari; +Cc: 27263 Leo Famulari <leo@famulari.name> skribis: > * gnu/packages/perl.scm (perl)[replacement]: New field. > (perl/fixed): New variable. > * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. OK too. I suppose we’ll have to apply it in core-updates too, right? Thank you! Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path. 2017-06-06 23:18 ` Ludovic Courtès @ 2017-06-07 15:40 ` Leo Famulari 2017-06-07 16:17 ` Leo Famulari 1 sibling, 0 replies; 9+ messages in thread From: Leo Famulari @ 2017-06-07 15:40 UTC (permalink / raw) To: Ludovic Courtès; +Cc: 27263 [-- Attachment #1: Type: text/plain, Size: 451 bytes --] On Wed, Jun 07, 2017 at 01:18:09AM +0200, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > * gnu/packages/perl.scm (perl)[replacement]: New field. > > (perl/fixed): New variable. > > * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > OK too. > > I suppose we’ll have to apply it in core-updates too, right? Yes, I'm working on this today. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path. 2017-06-06 23:18 ` Ludovic Courtès 2017-06-07 15:40 ` Leo Famulari @ 2017-06-07 16:17 ` Leo Famulari 2017-06-08 12:07 ` Ludovic Courtès 1 sibling, 1 reply; 9+ messages in thread From: Leo Famulari @ 2017-06-07 16:17 UTC (permalink / raw) To: Ludovic Courtès; +Cc: 27263-done [-- Attachment #1: Type: text/plain, Size: 675 bytes --] On Wed, Jun 07, 2017 at 01:18:09AM +0200, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > * gnu/packages/perl.scm (perl)[replacement]: New field. > > (perl/fixed): New variable. > > * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > OK too. > > I suppose we’ll have to apply it in core-updates too, right? And, done as c67d587f94173fd42d65097165afc5c512935646. I tested that this packaging of Perl 5.26.0 builds on master, then I "ported" the package to core-updates. I don't have the resources to build the Perl package on core-updates in a timely manner. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path. 2017-06-07 16:17 ` Leo Famulari @ 2017-06-08 12:07 ` Ludovic Courtès 0 siblings, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2017-06-08 12:07 UTC (permalink / raw) To: Leo Famulari; +Cc: 27263-done Leo Famulari <leo@famulari.name> skribis: > On Wed, Jun 07, 2017 at 01:18:09AM +0200, Ludovic Courtès wrote: >> Leo Famulari <leo@famulari.name> skribis: >> >> > * gnu/packages/perl.scm (perl)[replacement]: New field. >> > (perl/fixed): New variable. >> > * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file. >> > * gnu/local.mk (dist_patch_DATA): Add it. >> >> OK too. >> >> I suppose we’ll have to apply it in core-updates too, right? > > And, done as c67d587f94173fd42d65097165afc5c512935646. Great! > I tested that this packaging of Perl 5.26.0 builds on master, then I > "ported" the package to core-updates. I don't have the resources to > build the Perl package on core-updates in a timely manner. That’s a reasonable approach. We’ll let Hydra build it anyway and adjust if needed. Thank you! Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13. 2017-06-06 3:04 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Leo Famulari 2017-06-06 3:04 ` bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path Leo Famulari @ 2017-06-06 23:16 ` Ludovic Courtès 1 sibling, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2017-06-06 23:16 UTC (permalink / raw) To: Leo Famulari; +Cc: 27263 Leo Famulari <leo@famulari.name> skribis: > This fixes CVE-2017-6512. > > * gnu/packages/perl.scm (perl-file-path): Update to 2.13. OK. ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#27263: Perl CVE-2017-6512 2017-06-06 3:01 bug#27263: Perl CVE-2017-6512 Leo Famulari 2017-06-06 3:04 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Leo Famulari @ 2017-06-06 18:53 ` Marius Bakke 1 sibling, 0 replies; 9+ messages in thread From: Marius Bakke @ 2017-06-06 18:53 UTC (permalink / raw) To: Leo Famulari, 27263 [-- Attachment #1: Type: text/plain, Size: 146 bytes --] Leo Famulari <leo@famulari.name> writes: > These patches fix CVE-2017-6512 in perl-file-path and the copy of > File::Path in perl itself. LGTM. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-06-08 12:08 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-06-06 3:01 bug#27263: Perl CVE-2017-6512 Leo Famulari 2017-06-06 3:04 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Leo Famulari 2017-06-06 3:04 ` bug#27263: [PATCH 2/2] gnu: perl: Fix CVE-2017-6512 in File::Path Leo Famulari 2017-06-06 23:18 ` Ludovic Courtès 2017-06-07 15:40 ` Leo Famulari 2017-06-07 16:17 ` Leo Famulari 2017-06-08 12:07 ` Ludovic Courtès 2017-06-06 23:16 ` bug#27263: [PATCH 1/2] gnu: perl-file-path: Update to 2.13 Ludovic Courtès 2017-06-06 18:53 ` bug#27263: Perl CVE-2017-6512 Marius Bakke
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).