mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: perl: Fix CVE-2018-12015.
* gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
This commit is contained in:
parent
57b1dba116
commit
406c83f78d
3 changed files with 39 additions and 0 deletions
|
@ -989,6 +989,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/patchutils-xfail-gendiff-tests.patch \
|
||||
%D%/packages/patches/patch-hurd-path-max.patch \
|
||||
%D%/packages/patches/perf-gcc-ice.patch \
|
||||
%D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \
|
||||
%D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
|
||||
%D%/packages/patches/perl-autosplit-default-time.patch \
|
||||
%D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \
|
||||
|
|
36
gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
Normal file
36
gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
Normal file
|
@ -0,0 +1,36 @@
|
|||
Fix CVE-2018-12015:
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2018-12015
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
|
||||
https://rt.cpan.org/Ticket/Display.html?id=125523
|
||||
|
||||
Patch taken from this upstream commit and adapted to apply to
|
||||
the bundled copy in the Perl distribution:
|
||||
|
||||
https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
|
||||
|
||||
diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
|
||||
index 6244369..a83975f 100644
|
||||
--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
|
||||
+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
|
||||
@@ -845,6 +845,20 @@ sub _extract_file {
|
||||
return;
|
||||
}
|
||||
|
||||
+ ### If a file system already contains a block device with the same name as
|
||||
+ ### the being extracted regular file, we would write the file's content
|
||||
+ ### to the block device. So remove the existing file (block device) now.
|
||||
+ ### If an archive contains multiple same-named entries, the last one
|
||||
+ ### should replace the previous ones. So remove the old file now.
|
||||
+ ### If the old entry is a symlink to a file outside of the CWD, the new
|
||||
+ ### entry would create a file there. This is CVE-2018-12015
|
||||
+ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
|
||||
+ if (-l $full || -e _) {
|
||||
+ if (!unlink $full) {
|
||||
+ $self->_error( qq[Could not remove old file '$full': $!] );
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
if( length $entry->type && $entry->is_file ) {
|
||||
my $fh = IO::File->new;
|
||||
$fh->open( $full, '>' ) or (
|
|
@ -170,6 +170,8 @@ (define perl-5.26.2
|
|||
(inherit (package-source perl))
|
||||
(uri (string-append "mirror://cpan/src/5.0/perl-"
|
||||
version ".tar.gz"))
|
||||
(patches (append (origin-patches (package-source perl))
|
||||
(search-patches "perl-archive-tar-CVE-2018-12015.patch")))
|
||||
(sha256
|
||||
(base32
|
||||
"03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))
|
||||
|
|
Loading…
Reference in a new issue