GNU bug report logs - #31797
[PATCH] gnu: perl: Fix CVE-2018-12015.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31797 in the body.
You can then email your comments to 31797 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: perl: Fix CVE-2018-12015.
Date: Tue, 12 Jun 2018 11:25:14 +0200

* gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
---
 gnu/local.mk                                  |  1 +
 .../perl-archive-tar-CVE-2018-12015.patch     | 36 +++++++++++++++++++
 gnu/packages/perl.scm                         |  2 ++
 3 files changed, 39 insertions(+)
 create mode 100644 gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 7fa7e7d81..cd7861da9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -990,6 +990,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/perf-gcc-ice.patch			\
   %D%/packages/patches/perl-file-path-CVE-2017-6512.patch	\
+  %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch	\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 000000000..6460cf585
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+         return;
+     }
+ 
++    ### If a file system already contains a block device with the same name as
++    ### the being extracted regular file, we would write the file's content
++    ### to the block device. So remove the existing file (block device) now.
++    ### If an archive contains multiple same-named entries, the last one
++    ### should replace the previous ones. So remove the old file now.
++    ### If the old entry is a symlink to a file outside of the CWD, the new
++    ### entry would create a file there. This is CVE-2018-12015
++    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++    if (-l $full || -e _) {
++	if (!unlink $full) {
++	    $self->_error( qq[Could not remove old file '$full': $!] );
++	    return;
++	}
++    }
+     if( length $entry->type && $entry->is_file ) {
+         my $fh = IO::File->new;
+         $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 2d2bb62a7..93b1a3f67 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -170,6 +170,8 @@
               (inherit (package-source perl))
               (uri (string-append "mirror://cpan/src/5.0/perl-"
                                   version ".tar.gz"))
+              (patches (append (origin-patches (package-source perl))
+                               (search-patches "perl-archive-tar-CVE-2018-12015.patch")))
               (sha256
                (base32
                 "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))
-- 
2.17.1

Message #10 received at 31797 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 31797 <at> debbugs.gnu.org
Subject: Re: [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015.
Date: Tue, 12 Jun 2018 21:39:51 +0200

Hello Marius,

Marius Bakke <mbakke <at> fastmail.com> skribis:

> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.

LGTM.  Thanks for taking care of it!

I wonder if it’s an option to remove some of the bundled libraries that
come with Perl, or whether packages rely of them as part of Perl proper.

Ludo’.

Message #13 received at 31797 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 31797 <at> debbugs.gnu.org
Subject: Re: [bug#31797] [PATCH] gnu: perl: Fix CVE-2018-12015.
Date: Sat, 16 Jun 2018 21:38:28 +0200

[Message part 1 (text/plain, inline)]

ludo <at> gnu.org (Ludovic Courtès) writes:

> Hello Marius,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
>
> LGTM.  Thanks for taking care of it!

Excellent, pushed!

> I wonder if it’s an option to remove some of the bundled libraries that
> come with Perl, or whether packages rely of them as part of Perl proper.

That would be great.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.