nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gnu: perl: Update to 5.28.0. 

* gnu/packages/patches/perl-deterministic-ordering.patch: Adjust path.
* gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch,
gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/perl.scm (perl): Update to 5.28.0.
[source](patches): Remove obsolete.
This commit is contained in:
Marius Bakke 2018-07-19 00:21:02 +02:00
parent 1d3de97967
commit f94a8654d6
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
5 changed files with 5 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gnu/local.mk
View File

@ -1001,8 +1001,6 @@ dist_patch_DATA = \
%D%/packages/patches/patchutils-xfail-gendiff-tests.patch \
%D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/perf-gcc-ice.patch \
%D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \
%D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \

36
gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
View File

@ -1,36 +0,0 @@
Fix CVE-2018-12015:
https://security-tracker.debian.org/tracker/CVE-2018-12015
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
https://rt.cpan.org/Ticket/Display.html?id=125523
Patch taken from this upstream commit and adapted to apply to
the bundled copy in the Perl distribution:
https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
index 6244369..a83975f 100644
--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
@@ -845,6 +845,20 @@ sub _extract_file {
return;
}
+ ### If a file system already contains a block device with the same name as
+ ### the being extracted regular file, we would write the file's content
+ ### to the block device. So remove the existing file (block device) now.
+ ### If an archive contains multiple same-named entries, the last one
+ ### should replace the previous ones. So remove the old file now.
+ ### If the old entry is a symlink to a file outside of the CWD, the new
+ ### entry would create a file there. This is CVE-2018-12015
+ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
+ if (-l $full || -e _) {
+ if (!unlink $full) {
+ $self->_error( qq[Could not remove old file '$full': $!] );
+ return;
+ }
+ }
if( length $entry->type && $entry->is_file ) {
my $fh = IO::File->new;
$fh->open( $full, '>' ) or (

6
gnu/packages/patches/perl-deterministic-ordering.patch
View File

@ -12,10 +12,10 @@ reproducibility.
cpan/Devel-PPPort/PPPort_xs.PL | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cpan/Devel-PPPort/PPPort_xs.PL b/cpan/Devel-PPPort/PPPort_xs.PL
diff --git a/dist/Devel-PPPort/PPPort_xs.PL b/dist/Devel-PPPort/PPPort_xs.PL
index 5f18940..149f2fe 100644
--- a/cpan/Devel-PPPort/PPPort_xs.PL
+++ b/cpan/Devel-PPPort/PPPort_xs.PL
--- a/dist/Devel-PPPort/PPPort_xs.PL
+++ b/dist/Devel-PPPort/PPPort_xs.PL
@@ -38,7 +38,7 @@ END
my $file;
my $sec;

173
gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
View File

@ -1,173 +0,0 @@
Fix CVE-2017-6512:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512
https://rt.cpan.org/Public/Bug/Display.html?id=121951
Patch copied from Debian, adapted to apply to the copy of File::Path in Perl
5.24.0.
https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2
https://anonscm.debian.org/cgit/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=e7b50f8fb6413f8ddfbbfda2d531615fb029e2d3
From d760748be0efca7c05454440e24f3df77bf7cf5d Mon Sep 17 00:00:00 2001
From: John Lightsey <john@nixnuts.net>
Date: Tue, 2 May 2017 12:03:52 -0500
Subject: Prevent directory chmod race attack.
CVE-2017-6512 is a race condition attack where the chmod() of directories
that cannot be entered is misused to change the permissions on other
files or directories on the system. This has been corrected by limiting
the directory-permission loosening logic to systems where fchmod() is
supported.
[Backported (whitespace adjustments) to File-Path 2.12 / perl 5.24 by
Dominic Hargreaves for Debian.]
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=121951
Bug-Debian: https://bugs.debian.org/863870
Patch-Name: fixes/file_path_chmod_race.diff
---
cpan/File-Path/lib/File/Path.pm | 39 +++++++++++++++++++++++++--------------
cpan/File-Path/t/Path.t | 40 ++++++++++++++++++++++++++--------------
2 files changed, 51 insertions(+), 28 deletions(-)
diff --git a/cpan/File-Path/lib/File/Path.pm b/cpan/File-Path/lib/File/Path.pm
index 034da1e..a824cc8 100644
--- a/cpan/File-Path/lib/File/Path.pm
+++ b/cpan/File-Path/lib/File/Path.pm
@@ -354,21 +354,32 @@ sub _rmtree {
# see if we can escalate privileges to get in
# (e.g. funny protection mask such as -w- instead of rwx)
- $perm &= oct '7777';
- my $nperm = $perm | oct '700';
- if (
- !(
- $arg->{safe}
- or $nperm == $perm
- or chmod( $nperm, $root )
- )
- )
- {
- _error( $arg,
- "cannot make child directory read-write-exec", $canon );
- next ROOT_DIR;
+ # This uses fchmod to avoid traversing outside of the proper
+ # location (CVE-2017-6512)
+ my $root_fh;
+ if (open($root_fh, '<', $root)) {
+ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1];
+ $perm &= oct '7777';
+ my $nperm = $perm | oct '700';
+ local $@;
+ if (
+ !(
+ $arg->{safe}
+ or $nperm == $perm
+ or !-d _
+ or $fh_dev ne $ldev
+ or $fh_inode ne $lino
+ or eval { chmod( $nperm, $root_fh ) }
+ )
+ )
+ {
+ _error( $arg,
+ "cannot make child directory read-write-exec", $canon );
+ next ROOT_DIR;
+ }
+ close $root_fh;
}
- elsif ( !chdir($root) ) {
+ if ( !chdir($root) ) {
_error( $arg, "cannot chdir to child", $canon );
next ROOT_DIR;
}
diff --git a/cpan/File-Path/t/Path.t b/cpan/File-Path/t/Path.t
index ff52fd6..956ca09 100644
--- a/cpan/File-Path/t/Path.t
+++ b/cpan/File-Path/t/Path.t
@@ -3,7 +3,7 @@
use strict;
-use Test::More tests => 127;
+use Test::More tests => 126;
use Config;
use Fcntl ':mode';
use lib 't/';
@@ -18,6 +18,13 @@ BEGIN {
my $Is_VMS = $^O eq 'VMS';
+my $fchmod_supported = 0;
+if (open my $fh, curdir()) {
+ my ($perm) = (stat($fh))[2];
+ $perm &= 07777;
+ eval { $fchmod_supported = chmod( $perm, $fh); };
+}
+
# first check for stupid permissions second for full, so we clean up
# behind ourselves
for my $perm (0111,0777) {
@@ -299,16 +306,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check");
is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef");
-$dir = catdir($tmp_base,'G');
-$dir = VMS::Filespec::unixify($dir) if $Is_VMS;
+SKIP: {
+ skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported;
+ $dir = catdir($tmp_base,'G');
+ $dir = VMS::Filespec::unixify($dir) if $Is_VMS;
-@created = mkpath($dir, undef, 0200);
+ @created = mkpath($dir, undef, 0400);
-is(scalar(@created), 1, "created write-only dir");
+ is(scalar(@created), 1, "created read-only dir");
-is($created[0], $dir, "created write-only directory cross-check");
+ is($created[0], $dir, "created read-only directory cross-check");
-is(rmtree($dir), 1, "removed write-only dir");
+ is(rmtree($dir), 1, "removed read-only dir");
+}
# borderline new-style heuristics
if (chdir $tmp_base) {
@@ -450,26 +460,28 @@ SKIP: {
}
SKIP : {
- my $skip_count = 19;
+ my $skip_count = 18;
# this test will fail on Windows, as per:
# http://perldoc.perl.org/perlport.html#chmod
skip "Windows chmod test skipped", $skip_count
if $^O eq 'MSWin32';
+ skip "fchmod() on directories is not supported on this platform", $skip_count
+ unless $fchmod_supported;
my $mode;
my $octal_mode;
my @inputs = (
- 0777, 0700, 0070, 0007,
- 0333, 0300, 0030, 0003,
- 0111, 0100, 0010, 0001,
- 0731, 0713, 0317, 0371, 0173, 0137,
- 00 );
+ 0777, 0700, 0470, 0407,
+ 0433, 0400, 0430, 0403,
+ 0111, 0100, 0110, 0101,
+ 0731, 0713, 0317, 0371,
+ 0173, 0137);
my $input;
my $octal_input;
- $dir = catdir($tmp_base, 'chmod_test');
foreach (@inputs) {
$input = $_;
+ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input));
# We can skip from here because 0 is last in the list.
skip "Mode of 0 means assume user defaults on VMS", 1
if ($input == 0 && $Is_VMS);

6
gnu/packages/perl.scm
View File

@ -61,18 +61,16 @@
;; Yeah, Perl... It is required early in the bootstrap process by Linux.
(package
(name "perl")
(version "5.26.2")
(version "5.28.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://cpan/src/5.0/perl-"
version ".tar.gz"))
(sha256
(base32
"03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))
"1a3f822lcl8dr8v0hk80yyhpzqlljg49z9flb48rs3nbsij9z4ky"))
(patches (search-patches
"perl-file-path-CVE-2017-6512.patch"
"perl-no-sys-dirs.patch"
"perl-archive-tar-CVE-2018-12015.patch"
"perl-autosplit-default-time.patch"
"perl-deterministic-ordering.patch"
"perl-reproducible-build-date.patch"))))