* [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015.
@ 2018-06-12 9:25 Marius Bakke
2018-06-12 19:39 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Marius Bakke @ 2018-06-12 9:25 UTC (permalink / raw)
To: 31797
* gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
---
gnu/local.mk | 1 +
.../perl-archive-tar-CVE-2018-12015.patch | 36 +++++++++++++++++++
gnu/packages/perl.scm | 2 ++
3 files changed, 39 insertions(+)
create mode 100644 gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 7fa7e7d81..cd7861da9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -990,6 +990,7 @@ dist_patch_DATA = \
%D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/perf-gcc-ice.patch \
%D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
+ %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 000000000..6460cf585
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+ return;
+ }
+
++ ### If a file system already contains a block device with the same name as
++ ### the being extracted regular file, we would write the file's content
++ ### to the block device. So remove the existing file (block device) now.
++ ### If an archive contains multiple same-named entries, the last one
++ ### should replace the previous ones. So remove the old file now.
++ ### If the old entry is a symlink to a file outside of the CWD, the new
++ ### entry would create a file there. This is CVE-2018-12015
++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++ if (-l $full || -e _) {
++ if (!unlink $full) {
++ $self->_error( qq[Could not remove old file '$full': $!] );
++ return;
++ }
++ }
+ if( length $entry->type && $entry->is_file ) {
+ my $fh = IO::File->new;
+ $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 2d2bb62a7..93b1a3f67 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -170,6 +170,8 @@
(inherit (package-source perl))
(uri (string-append "mirror://cpan/src/5.0/perl-"
version ".tar.gz"))
+ (patches (append (origin-patches (package-source perl))
+ (search-patches "perl-archive-tar-CVE-2018-12015.patch")))
(sha256
(base32
"03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015.
2018-06-12 9:25 [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015 Marius Bakke
@ 2018-06-12 19:39 ` Ludovic Courtès
2018-06-16 19:38 ` Marius Bakke
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2018-06-12 19:39 UTC (permalink / raw)
To: Marius Bakke; +Cc: 31797
Hello Marius,
Marius Bakke <mbakke@fastmail.com> skribis:
> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
LGTM. Thanks for taking care of it!
I wonder if it’s an option to remove some of the bundled libraries that
come with Perl, or whether packages rely of them as part of Perl proper.
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015.
2018-06-12 19:39 ` Ludovic Courtès
@ 2018-06-16 19:38 ` Marius Bakke
0 siblings, 0 replies; 3+ messages in thread
From: Marius Bakke @ 2018-06-16 19:38 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 31797
[-- Attachment #1: Type: text/plain, Size: 552 bytes --]
ludo@gnu.org (Ludovic Courtès) writes:
> Hello Marius,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
>
> LGTM. Thanks for taking care of it!
Excellent, pushed!
> I wonder if it’s an option to remove some of the bundled libraries that
> come with Perl, or whether packages rely of them as part of Perl proper.
That would be great.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-06-16 19:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-12 9:25 [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015 Marius Bakke
2018-06-12 19:39 ` Ludovic Courtès
2018-06-16 19:38 ` Marius Bakke
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).