diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-06-13 12:08:22 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-06-13 12:08:32 +0000 |
| commit | 599da1ef36c21d244ab85a210d2a31fe48c7a329 (patch) | |
| tree | 5b258b00912181e3390391d600491b40c9207c3a /main/perl | |
| parent | 91917558bb3e304708974776e02b2bb2cc1aa95c (diff) | |
| download | aports-599da1ef36c21d244ab85a210d2a31fe48c7a329.tar.bz2 aports-599da1ef36c21d244ab85a210d2a31fe48c7a329.tar.xz | |
main/perl: security fix (CVE-2018-12015)
Fixes #8982
Diffstat (limited to 'main/perl')
| -rw-r--r-- | main/perl/APKBUILD | 8 | ||||
| -rw-r--r-- | main/perl/CVE-2018-12015.patch | 41 |
2 files changed, 47 insertions, 2 deletions
diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD index 89897040c7..77df0dc35d 100644 --- a/main/perl/APKBUILD +++ b/main/perl/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> pkgname=perl pkgver=5.26.2 -pkgrel=0 +pkgrel=1 pkgdesc="Larry Wall's Practical Extraction and Report Language" url="http://www.perl.org/" arch="all" @@ -14,9 +14,12 @@ depends_dev="perl-utils" makedepends="bzip2-dev zlib-dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl" source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz + CVE-2018-12015.patch " # secfixes: +# 5.26.2-r1: +# - CVE-2018-12015 # 5.26.2-r0: # - CVE-2018-6797 # - CVE-2018-6798 @@ -152,4 +155,5 @@ utils() { done } -sha512sums="166d767f748a911b969fc8008069f087927cbdd9ee21b375b31e5feb5afc2be8d80d68f8c291accee6fdf3be90e9dc2fc870cb9c0bd1cc68c6e001e4ed38d564 perl-5.26.2.tar.gz" +sha512sums="166d767f748a911b969fc8008069f087927cbdd9ee21b375b31e5feb5afc2be8d80d68f8c291accee6fdf3be90e9dc2fc870cb9c0bd1cc68c6e001e4ed38d564 perl-5.26.2.tar.gz +feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916 CVE-2018-12015.patch" diff --git a/main/perl/CVE-2018-12015.patch b/main/perl/CVE-2018-12015.patch new file mode 100644 index 0000000000..47493ce5d3 --- /dev/null +++ b/main/perl/CVE-2018-12015.patch @@ -0,0 +1,41 @@ +From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Fri, 8 Jun 2018 11:45:40 +0100 +Subject: [PATCH] [PATCH] Remove existing files before overwriting them + +Archive should extract only the latest same-named entry. +Extracted regular file should not be writtent into existing block +device (or any other one). + +https://rt.cpan.org/Ticket/Display.html?id=125523 + +Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk> +--- + lib/Archive/Tar.pm | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/lib/Archive/Tar.pm +index 6244369..a83975f 100644 +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm +@@ -845,6 +845,20 @@ sub _extract_file { + return; + } + ++ ### If a file system already contains a block device with the same name as ++ ### the being extracted regular file, we would write the file's content ++ ### to the block device. So remove the existing file (block device) now. ++ ### If an archive contains multiple same-named entries, the last one ++ ### should replace the previous ones. So remove the old file now. ++ ### If the old entry is a symlink to a file outside of the CWD, the new ++ ### entry would create a file there. This is CVE-2018-12015 ++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. ++ if (-l $full || -e _) { ++ if (!unlink $full) { ++ $self->_error( qq[Could not remove old file '$full': $!] ); ++ return; ++ } ++ } + if( length $entry->type && $entry->is_file ) { + my $fh = IO::File->new; + $fh->open( $full, '>' ) or ( |