-
Notifications
You must be signed in to change notification settings - Fork 695
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
main/perl: security fix (CVE-2018-12015)
Fixes #8982
- Loading branch information
Showing
2 changed files
with
47 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,7 @@ | |
| # Contributor: Valery Kartel <[email protected]> | ||
| pkgname=perl | ||
| pkgver=5.26.2 | ||
| pkgrel=0 | ||
| pkgrel=1 | ||
| pkgdesc="Larry Wall's Practical Extraction and Report Language" | ||
| url="http://www.perl.org/" | ||
| arch="all" | ||
|
|
@@ -14,9 +14,12 @@ depends_dev="perl-utils" | |
| makedepends="bzip2-dev zlib-dev" | ||
| subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl" | ||
| source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz | ||
| CVE-2018-12015.patch | ||
| " | ||
|
|
||
| # secfixes: | ||
| # 5.26.2-r1: | ||
| # - CVE-2018-12015 | ||
| # 5.26.2-r0: | ||
| # - CVE-2018-6797 | ||
| # - CVE-2018-6798 | ||
|
|
@@ -152,4 +155,5 @@ utils() { | |
| done | ||
| } | ||
|
|
||
| sha512sums="166d767f748a911b969fc8008069f087927cbdd9ee21b375b31e5feb5afc2be8d80d68f8c291accee6fdf3be90e9dc2fc870cb9c0bd1cc68c6e001e4ed38d564 perl-5.26.2.tar.gz" | ||
| sha512sums="166d767f748a911b969fc8008069f087927cbdd9ee21b375b31e5feb5afc2be8d80d68f8c291accee6fdf3be90e9dc2fc870cb9c0bd1cc68c6e001e4ed38d564 perl-5.26.2.tar.gz | ||
| feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916 CVE-2018-12015.patch" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001 | ||
| From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> | ||
| Date: Fri, 8 Jun 2018 11:45:40 +0100 | ||
| Subject: [PATCH] [PATCH] Remove existing files before overwriting them | ||
|
|
||
| Archive should extract only the latest same-named entry. | ||
| Extracted regular file should not be writtent into existing block | ||
| device (or any other one). | ||
|
|
||
| https://rt.cpan.org/Ticket/Display.html?id=125523 | ||
|
|
||
| Signed-off-by: Chris 'BinGOs' Williams <[email protected]> | ||
| --- | ||
| lib/Archive/Tar.pm | 14 ++++++++++++++ | ||
| 1 file changed, 14 insertions(+) | ||
|
|
||
| diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/lib/Archive/Tar.pm | ||
| index 6244369..a83975f 100644 | ||
| --- a/cpan/Archive-Tar/lib/Archive/Tar.pm | ||
| +++ b/cpan/Archive-Tar/lib/Archive/Tar.pm | ||
| @@ -845,6 +845,20 @@ sub _extract_file { | ||
| return; | ||
| } | ||
|
|
||
| + ### If a file system already contains a block device with the same name as | ||
| + ### the being extracted regular file, we would write the file's content | ||
| + ### to the block device. So remove the existing file (block device) now. | ||
| + ### If an archive contains multiple same-named entries, the last one | ||
| + ### should replace the previous ones. So remove the old file now. | ||
| + ### If the old entry is a symlink to a file outside of the CWD, the new | ||
| + ### entry would create a file there. This is CVE-2018-12015 | ||
| + ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. | ||
| + if (-l $full || -e _) { | ||
| + if (!unlink $full) { | ||
| + $self->_error( qq[Could not remove old file '$full': $!] ); | ||
| + return; | ||
| + } | ||
| + } | ||
| if( length $entry->type && $entry->is_file ) { | ||
| my $fh = IO::File->new; | ||
| $fh->open( $full, '>' ) or ( |