GNU bug report logs -
#31797
[PATCH] gnu: perl: Fix CVE-2018-12015.
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Tue, 12 Jun 2018 09:26:02 UTC
Severity: normal
Tags: fixed, patch, security
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31797 in the body.
You can then email your comments to 31797 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#31797
; Package
guix-patches
.
(Tue, 12 Jun 2018 09:26:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Marius Bakke <mbakke <at> fastmail.com>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Tue, 12 Jun 2018 09:26:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
---
gnu/local.mk | 1 +
.../perl-archive-tar-CVE-2018-12015.patch | 36 +++++++++++++++++++
gnu/packages/perl.scm | 2 ++
3 files changed, 39 insertions(+)
create mode 100644 gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 7fa7e7d81..cd7861da9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -990,6 +990,7 @@ dist_patch_DATA = \
%D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/perf-gcc-ice.patch \
%D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
+ %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 000000000..6460cf585
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+ return;
+ }
+
++ ### If a file system already contains a block device with the same name as
++ ### the being extracted regular file, we would write the file's content
++ ### to the block device. So remove the existing file (block device) now.
++ ### If an archive contains multiple same-named entries, the last one
++ ### should replace the previous ones. So remove the old file now.
++ ### If the old entry is a symlink to a file outside of the CWD, the new
++ ### entry would create a file there. This is CVE-2018-12015
++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++ if (-l $full || -e _) {
++ if (!unlink $full) {
++ $self->_error( qq[Could not remove old file '$full': $!] );
++ return;
++ }
++ }
+ if( length $entry->type && $entry->is_file ) {
+ my $fh = IO::File->new;
+ $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 2d2bb62a7..93b1a3f67 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -170,6 +170,8 @@
(inherit (package-source perl))
(uri (string-append "mirror://cpan/src/5.0/perl-"
version ".tar.gz"))
+ (patches (append (origin-patches (package-source perl))
+ (search-patches "perl-archive-tar-CVE-2018-12015.patch")))
(sha256
(base32
"03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))
--
2.17.1
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org
.
(Tue, 12 Jun 2018 19:38:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org
:
bug#31797
; Package
guix-patches
.
(Tue, 12 Jun 2018 19:41:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 31797 <at> debbugs.gnu.org (full text, mbox):
Hello Marius,
Marius Bakke <mbakke <at> fastmail.com> skribis:
> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
LGTM. Thanks for taking care of it!
I wonder if it’s an option to remove some of the bundled libraries that
come with Perl, or whether packages rely of them as part of Perl proper.
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org
:
bug#31797
; Package
guix-patches
.
(Sat, 16 Jun 2018 19:39:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 31797 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
> Hello Marius,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
>
> LGTM. Thanks for taking care of it!
Excellent, pushed!
> I wonder if it’s an option to remove some of the bundled libraries that
> come with Perl, or whether packages rely of them as part of Perl proper.
That would be great.
[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org
.
(Sat, 16 Jun 2018 22:10:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
31797 <at> debbugs.gnu.org and Marius Bakke <mbakke <at> fastmail.com>
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org
.
(Sat, 16 Jun 2018 22:10:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Mon, 16 Jul 2018 11:24:12 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 283 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.