From 406c83f78d4c7851743bb0f82a9de02c8afa63f3 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Tue, 12 Jun 2018 11:24:29 +0200 Subject: [PATCH] gnu: perl: Fix CVE-2018-12015. * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it. --- gnu/local.mk | 1 + .../perl-archive-tar-CVE-2018-12015.patch | 36 +++++++++++++++++++ gnu/packages/perl.scm | 2 ++ 3 files changed, 39 insertions(+) create mode 100644 gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch diff --git a/gnu/local.mk b/gnu/local.mk index d02f07031f..a1bebe0dfa 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -989,6 +989,7 @@ dist_patch_DATA = \ %D%/packages/patches/patchutils-xfail-gendiff-tests.patch \ %D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/perf-gcc-ice.patch \ + %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \ %D%/packages/patches/perl-file-path-CVE-2017-6512.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \ diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch new file mode 100644 index 0000000000..6460cf5855 --- /dev/null +++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch @@ -0,0 +1,36 @@ +Fix CVE-2018-12015: + +https://security-tracker.debian.org/tracker/CVE-2018-12015 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015 +https://rt.cpan.org/Ticket/Display.html?id=125523 + +Patch taken from this upstream commit and adapted to apply to +the bundled copy in the Perl distribution: + +https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 + +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm +index 6244369..a83975f 100644 +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm +@@ -845,6 +845,20 @@ sub _extract_file { + return; + } + ++ ### If a file system already contains a block device with the same name as ++ ### the being extracted regular file, we would write the file's content ++ ### to the block device. So remove the existing file (block device) now. ++ ### If an archive contains multiple same-named entries, the last one ++ ### should replace the previous ones. So remove the old file now. ++ ### If the old entry is a symlink to a file outside of the CWD, the new ++ ### entry would create a file there. This is CVE-2018-12015 ++ ### . ++ if (-l $full || -e _) { ++ if (!unlink $full) { ++ $self->_error( qq[Could not remove old file '$full': $!] ); ++ return; ++ } ++ } + if( length $entry->type && $entry->is_file ) { + my $fh = IO::File->new; + $fh->open( $full, '>' ) or ( diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index 2d2bb62a78..93b1a3f672 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -170,6 +170,8 @@ (inherit (package-source perl)) (uri (string-append "mirror://cpan/src/5.0/perl-" version ".tar.gz")) + (patches (append (origin-patches (package-source perl)) + (search-patches "perl-archive-tar-CVE-2018-12015.patch"))) (sha256 (base32 "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))