37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
Fix CVE-2018-12015:
|
|
|
|
https://security-tracker.debian.org/tracker/CVE-2018-12015
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
|
|
https://rt.cpan.org/Ticket/Display.html?id=125523
|
|
|
|
Patch taken from this upstream commit and adapted to apply to
|
|
the bundled copy in the Perl distribution:
|
|
|
|
https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
|
|
|
|
diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
|
|
index 6244369..a83975f 100644
|
|
--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
|
|
+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
|
|
@@ -845,6 +845,20 @@ sub _extract_file {
|
|
return;
|
|
}
|
|
|
|
+ ### If a file system already contains a block device with the same name as
|
|
+ ### the being extracted regular file, we would write the file's content
|
|
+ ### to the block device. So remove the existing file (block device) now.
|
|
+ ### If an archive contains multiple same-named entries, the last one
|
|
+ ### should replace the previous ones. So remove the old file now.
|
|
+ ### If the old entry is a symlink to a file outside of the CWD, the new
|
|
+ ### entry would create a file there. This is CVE-2018-12015
|
|
+ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
|
|
+ if (-l $full || -e _) {
|
|
+ if (!unlink $full) {
|
|
+ $self->_error( qq[Could not remove old file '$full': $!] );
|
|
+ return;
|
|
+ }
|
|
+ }
|
|
if( length $entry->type && $entry->is_file ) {
|
|
my $fh = IO::File->new;
|
|
$fh->open( $full, '>' ) or (
|