diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-06-13 12:08:22 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-07-30 10:59:08 +0200 |
commit | ebf7fcd2b328ba5b15db2785fa1d46599fbc330f (patch) | |
tree | 351cc1c29f4eda0fa9686cf6ec482ede01975c62 | |
parent | 602d91945a5a2a9e239d0dd0d65f7d8219105767 (diff) | |
download | alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.tar.bz2 alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.tar.xz alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.zip |
main/perl: security fix (CVE-2018-12015)
Fixes #8984
-rw-r--r-- | main/perl/APKBUILD | 8 | ||||
-rw-r--r-- | main/perl/CVE-2018-12015.patch | 41 |
2 files changed, 47 insertions, 2 deletions
diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD index 0e96380368..71f61d19ec 100644 --- a/main/perl/APKBUILD +++ b/main/perl/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | # Contributor: Valery Kartel <valery.kartel@gmail.com> | 3 | # Contributor: Valery Kartel <valery.kartel@gmail.com> |
4 | pkgname=perl | 4 | pkgname=perl |
5 | pkgver=5.24.4 | 5 | pkgver=5.24.4 |
6 | pkgrel=0 | 6 | pkgrel=1 |
7 | pkgdesc="Larry Wall's Practical Extraction and Report Language" | 7 | pkgdesc="Larry Wall's Practical Extraction and Report Language" |
8 | url="http://www.perl.org/" | 8 | url="http://www.perl.org/" |
9 | arch="all" | 9 | arch="all" |
@@ -14,9 +14,12 @@ depends_dev="perl-utils" | |||
14 | makedepends="bzip2-dev zlib-dev" | 14 | makedepends="bzip2-dev zlib-dev" |
15 | subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl" | 15 | subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl" |
16 | source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz | 16 | source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz |
17 | CVE-2018-12015.patch | ||
17 | " | 18 | " |
18 | 19 | ||
19 | # secfixes: | 20 | # secfixes: |
21 | # 5.24.4-r1: | ||
22 | # - CVE-2018-12015 | ||
20 | # 5.24.3-r0: | 23 | # 5.24.3-r0: |
21 | # - CVE-2017-12837 | 24 | # - CVE-2017-12837 |
22 | # - CVE-2017-12883 | 25 | # - CVE-2017-12883 |
@@ -136,4 +139,5 @@ utils() { | |||
136 | done | 139 | done |
137 | } | 140 | } |
138 | 141 | ||
139 | sha512sums="796d92f47860ac0e3a22d85eb129549c4251445b3cfa8687e305c95f6205ad32a670e0d680e20245e47f0c6567b313748bce1db04208b21ff10595196e37a40b perl-5.24.4.tar.gz" | 142 | sha512sums="796d92f47860ac0e3a22d85eb129549c4251445b3cfa8687e305c95f6205ad32a670e0d680e20245e47f0c6567b313748bce1db04208b21ff10595196e37a40b perl-5.24.4.tar.gz |
143 | feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916 CVE-2018-12015.patch" | ||
diff --git a/main/perl/CVE-2018-12015.patch b/main/perl/CVE-2018-12015.patch new file mode 100644 index 0000000000..47493ce5d3 --- /dev/null +++ b/main/perl/CVE-2018-12015.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> | ||
3 | Date: Fri, 8 Jun 2018 11:45:40 +0100 | ||
4 | Subject: [PATCH] [PATCH] Remove existing files before overwriting them | ||
5 | |||
6 | Archive should extract only the latest same-named entry. | ||
7 | Extracted regular file should not be writtent into existing block | ||
8 | device (or any other one). | ||
9 | |||
10 | https://rt.cpan.org/Ticket/Display.html?id=125523 | ||
11 | |||
12 | Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk> | ||
13 | --- | ||
14 | lib/Archive/Tar.pm | 14 ++++++++++++++ | ||
15 | 1 file changed, 14 insertions(+) | ||
16 | |||
17 | diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/lib/Archive/Tar.pm | ||
18 | index 6244369..a83975f 100644 | ||
19 | --- a/cpan/Archive-Tar/lib/Archive/Tar.pm | ||
20 | +++ b/cpan/Archive-Tar/lib/Archive/Tar.pm | ||
21 | @@ -845,6 +845,20 @@ sub _extract_file { | ||
22 | return; | ||
23 | } | ||
24 | |||
25 | + ### If a file system already contains a block device with the same name as | ||
26 | + ### the being extracted regular file, we would write the file's content | ||
27 | + ### to the block device. So remove the existing file (block device) now. | ||
28 | + ### If an archive contains multiple same-named entries, the last one | ||
29 | + ### should replace the previous ones. So remove the old file now. | ||
30 | + ### If the old entry is a symlink to a file outside of the CWD, the new | ||
31 | + ### entry would create a file there. This is CVE-2018-12015 | ||
32 | + ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. | ||
33 | + if (-l $full || -e _) { | ||
34 | + if (!unlink $full) { | ||
35 | + $self->_error( qq[Could not remove old file '$full': $!] ); | ||
36 | + return; | ||
37 | + } | ||
38 | + } | ||
39 | if( length $entry->type && $entry->is_file ) { | ||
40 | my $fh = IO::File->new; | ||
41 | $fh->open( $full, '>' ) or ( | ||