[PATCH] gnu: perl: Fix CVE-2018-12015.

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal

Debbugs page

M
M
Marius Bakke wrote on 12 Jun 2018 02:25
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20180612092514.16080-1-mbakke@fastmail.com
* gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
---
gnu/local.mk | 1 +
.../perl-archive-tar-CVE-2018-12015.patch | 36 +++++++++++++++++++
gnu/packages/perl.scm | 2 ++
3 files changed, 39 insertions(+)
create mode 100644 gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch

Toggle diff (69 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 7fa7e7d81..cd7861da9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -990,6 +990,7 @@ dist_patch_DATA = \
%D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/perf-gcc-ice.patch \
%D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
+ %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 000000000..6460cf585
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+ return;
+ }
+
++ ### If a file system already contains a block device with the same name as
++ ### the being extracted regular file, we would write the file's content
++ ### to the block device. So remove the existing file (block device) now.
++ ### If an archive contains multiple same-named entries, the last one
++ ### should replace the previous ones. So remove the old file now.
++ ### If the old entry is a symlink to a file outside of the CWD, the new
++ ### entry would create a file there. This is CVE-2018-12015
++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++ if (-l $full || -e _) {
++ if (!unlink $full) {
++ $self->_error( qq[Could not remove old file '$full': $!] );
++ return;
++ }
++ }
+ if( length $entry->type && $entry->is_file ) {
+ my $fh = IO::File->new;
+ $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 2d2bb62a7..93b1a3f67 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -170,6 +170,8 @@
(inherit (package-source perl))
(uri (string-append "mirror://cpan/src/5.0/perl-"
version ".tar.gz"))
+ (patches (append (origin-patches (package-source perl))
+ (search-patches "perl-archive-tar-CVE-2018-12015.patch")))
(sha256
(base32
"03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))
--
2.17.1
L
L
Ludovic Courtès wrote on 12 Jun 2018 12:36
control message for bug #31797
(address . control@debbugs.gnu.org)
8736xrpzj9.fsf@gnu.org
tags 31797 security
L
L
Ludovic Courtès wrote on 12 Jun 2018 12:39
Re: [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015.
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 31797@debbugs.gnu.org)
87wov3oku0.fsf@gnu.org
Hello Marius,

Marius Bakke <mbakke@fastmail.com> skribis:

Toggle quote (4 lines)
> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.

LGTM. Thanks for taking care of it!

I wonder if it’s an option to remove some of the bundled libraries that
come with Perl, or whether packages rely of them as part of Perl proper.

Ludo’.
M
M
Marius Bakke wrote on 16 Jun 2018 12:38
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 31797@debbugs.gnu.org)
87tvq2o72j.fsf@fastmail.com
ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (10 lines)
> Hello Marius,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
>
> LGTM. Thanks for taking care of it!

Excellent, pushed!

Toggle quote (3 lines)
> I wonder if it’s an option to remove some of the bundled libraries that
> come with Perl, or whether packages rely of them as part of Perl proper.

That would be great.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlslZzQACgkQoqBt8qM6
VPoouwf/ddU6LeCT9doAtq6t1TIyWFMPAlVJrXFImOt/urs4wPVc8bloLIKejuzo
pHy8LiBehh+N3fK1j89mbgAyuf82AxhqUranOyFCK86AFkS4dEH9pfUQaTjKQyMD
/h2GLX42dqRAmhdcWi1anGi/ao5PJ8MrPFltxWAY9KRI2sz57xN26zLiOaYD4Y3l
J7Dke7X1KJL93ylltG+EqsEzadURzNaRzpqTDk5DJxRdutOjD0nbZ82zflL4dUpW
Ch43qWtgJMNmrTQt760SrDp5RfLM0NDkIFsEFkWMKPYx+0rLP/fv5e7F9aZGVlfH
A2t+htGq4qCI//EocPADT57Jxcu+Yg==
=D8rO
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 16 Jun 2018 15:09
control message for bug #31797
(address . control@debbugs.gnu.org)
87tvq2mlit.fsf@gnu.org
tags 31797 fixed
close 31797
?
Your comment

This issue is archived.

To comment on this conversation send an email to 31797@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 31797
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch