main/perl: security fix (CVE-2018-12015)

Fixes #8983

main/perl: security fix (CVE-2018-12015)
Fixes #8983
d824c74b · Leonardo Arena · 07d81b1f · d824c74b · d824c74b
Commit d824c74b authored Jun 13, 2018 by Leonardo Arena
Hide whitespace changes
Inline Side-by-side

Showing with 47 additions and 2 deletions

main/perl/APKBUILD main/perl/APKBUILD +6 -2

main/perl/CVE-2018-12015.patch main/perl/CVE-2018-12015.patch +41 -0

No files found.
--- a/main/perl/APKBUILD
+++ b/main/perl/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=perl
 pkgver=5.26.2
-pkgrel=0
+pkgrel=1
 pkgdesc="Larry Wall's Practical Extraction and Report Language"
 url="http://www.perl.org/"
 arch="all"
@@ -14,10 +14,13 @@ depends_dev="perl-utils"
 makedepends="bzip2-dev zlib-dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl"
 source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz
+	CVE-2018-12015.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"

 # secfixes:
+#   5.26.2-r1:
+#     - CVE-2018-12015
 #   5.26.2-r0:
 #     - CVE-2018-6797
 #     - CVE-2018-6798
@@ -151,4 +154,5 @@ utils() {
 	done
 }

-sha512sums="166d767f748a911b969fc8008069f087927cbdd9ee21b375b31e5feb5afc2be8d80d68f8c291accee6fdf3be90e9dc2fc870cb9c0bd1cc68c6e001e4ed38d564  perl-5.26.2.tar.gz"
+sha512sums="166d767f748a911b969fc8008069f087927cbdd9ee21b375b31e5feb5afc2be8d80d68f8c291accee6fdf3be90e9dc2fc870cb9c0bd1cc68c6e001e4ed38d564  perl-5.26.2.tar.gz
+feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916  CVE-2018-12015.patch"
--- a/main/perl/CVE-2018-12015.patch
+++ b/main/perl/CVE-2018-12015.patch
+From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Jun 2018 11:45:40 +0100
+Subject: [PATCH] [PATCH] Remove existing files before overwriting them
+
+Archive should extract only the latest same-named entry.
+Extracted regular file should not be writtent into existing block
+device (or any other one).
+
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
+---
+ lib/Archive/Tar.pm | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+         return;
+     }
+ 
+    ### If a file system already contains a block device with the same name as
+    ### the being extracted regular file, we would write the file's content
+    ### to the block device. So remove the existing file (block device) now.
+    ### If an archive contains multiple same-named entries, the last one
+    ### should replace the previous ones. So remove the old file now.
+    ### If the old entry is a symlink to a file outside of the CWD, the new
+    ### entry would create a file there. This is CVE-2018-12015
+    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
+    if (-l $full || -e _) {
+	if (!unlink $full) {
+	    $self->_error( qq[Could not remove old file '$full': $!] );
+	    return;
+	}
+    }
+     if( length $entry->type && $entry->is_file ) {
+         my $fh = IO::File->new;
+         $fh->open( $full, '>' ) or (