[PATCH] gnu: perl: Fix CVE-2018-12015.

DoneSubmitted by Marius Bakke.
Details
2 participants
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 12 Jun 2018 11:25
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20180612092514.16080-1-mbakke@fastmail.com
* gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.* gnu/local.mk (dist_patch_DATA): Register it.* gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.--- gnu/local.mk | 1 + .../perl-archive-tar-CVE-2018-12015.patch | 36 +++++++++++++++++++ gnu/packages/perl.scm | 2 ++ 3 files changed, 39 insertions(+) create mode 100644 gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
Toggle diff (69 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 7fa7e7d81..cd7861da9 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -990,6 +990,7 @@ dist_patch_DATA = \ %D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/perf-gcc-ice.patch \ %D%/packages/patches/perl-file-path-CVE-2017-6512.patch \+ %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patchnew file mode 100644index 000000000..6460cf585--- /dev/null+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch@@ -0,0 +1,36 @@+Fix CVE-2018-12015:++https://security-tracker.debian.org/tracker/CVE-2018-12015+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015+https://rt.cpan.org/Ticket/Display.html?id=125523++Patch taken from this upstream commit and adapted to apply to+the bundled copy in the Perl distribution:++https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5++diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm+index 6244369..a83975f 100644+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm+@@ -845,6 +845,20 @@ sub _extract_file {+ return;+ }+ ++ ### If a file system already contains a block device with the same name as++ ### the being extracted regular file, we would write the file's content++ ### to the block device. So remove the existing file (block device) now.++ ### If an archive contains multiple same-named entries, the last one++ ### should replace the previous ones. So remove the old file now.++ ### If the old entry is a symlink to a file outside of the CWD, the new++ ### entry would create a file there. This is CVE-2018-12015++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.++ if (-l $full || -e _) {++ if (!unlink $full) {++ $self->_error( qq[Could not remove old file '$full': $!] );++ return;++ }++ }+ if( length $entry->type && $entry->is_file ) {+ my $fh = IO::File->new;+ $fh->open( $full, '>' ) or (diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scmindex 2d2bb62a7..93b1a3f67 100644--- a/gnu/packages/perl.scm+++ b/gnu/packages/perl.scm@@ -170,6 +170,8 @@ (inherit (package-source perl)) (uri (string-append "mirror://cpan/src/5.0/perl-" version ".tar.gz"))+ (patches (append (origin-patches (package-source perl))+ (search-patches "perl-archive-tar-CVE-2018-12015.patch"))) (sha256 (base32 "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))-- 2.17.1
L
L
Ludovic Courtès wrote on 12 Jun 2018 21:36
control message for bug #31797
(address . control@debbugs.gnu.org)
8736xrpzj9.fsf@gnu.org
tags 31797 security
L
L
Ludovic Courtès wrote on 12 Jun 2018 21:39
Re: [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015.
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 31797@debbugs.gnu.org)
87wov3oku0.fsf@gnu.org
Hello Marius,
Marius Bakke <mbakke@fastmail.com> skribis:
Toggle quote (4 lines)> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.> * gnu/local.mk (dist_patch_DATA): Register it.> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
LGTM. Thanks for taking care of it!
I wonder if it’s an option to remove some of the bundled libraries thatcome with Perl, or whether packages rely of them as part of Perl proper.
Ludo’.
M
M
Marius Bakke wrote on 16 Jun 2018 21:38
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 31797@debbugs.gnu.org)
87tvq2o72j.fsf@fastmail.com
ludo@gnu.org (Ludovic Courtès) writes:
Toggle quote (10 lines)> Hello Marius,>> Marius Bakke <mbakke@fastmail.com> skribis:>>> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.>> * gnu/local.mk (dist_patch_DATA): Register it.>> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.>> LGTM. Thanks for taking care of it!
Excellent, pushed!
Toggle quote (3 lines)> I wonder if it’s an option to remove some of the bundled libraries that> come with Perl, or whether packages rely of them as part of Perl proper.
That would be great.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlslZzQACgkQoqBt8qM6VPoouwf/ddU6LeCT9doAtq6t1TIyWFMPAlVJrXFImOt/urs4wPVc8bloLIKejuzopHy8LiBehh+N3fK1j89mbgAyuf82AxhqUranOyFCK86AFkS4dEH9pfUQaTjKQyMD/h2GLX42dqRAmhdcWi1anGi/ao5PJ8MrPFltxWAY9KRI2sz57xN26zLiOaYD4Y3lJ7Dke7X1KJL93ylltG+EqsEzadURzNaRzpqTDk5DJxRdutOjD0nbZ82zflL4dUpWCh43qWtgJMNmrTQt760SrDp5RfLM0NDkIFsEFkWMKPYx+0rLP/fv5e7F9aZGVlfHA2t+htGq4qCI//EocPADT57Jxcu+Yg===D8rO-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 17 Jun 2018 00:09
control message for bug #31797
(address . control@debbugs.gnu.org)
87tvq2mlit.fsf@gnu.org
tags 31797 fixedclose 31797
?
Your comment

This issue is archived.

To comment on this conversation send email to 31797@debbugs.gnu.org