main/perl: security fix (CVE-2018-12015)

Fixes #8984
author: Leonardo Arena <rnalrd@alpinelinux.org> 2018-06-13 12:08:22 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-07-30 10:59:08 +0200
commit: ebf7fcd2b328ba5b15db2785fa1d46599fbc330f (patch)
tree: 351cc1c29f4eda0fa9686cf6ec482ede01975c62
parent: 602d91945a5a2a9e239d0dd0d65f7d8219105767 (diff)
download: alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.tar.bz2
alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.tar.xz
alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.zip
2 files changed, 47 insertions, 2 deletions
diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD
index 0e96380368..71f61d19ec 100644
--- a/main/perl/APKBUILD
+++ b/main/perl/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=perl
 pkgver=5.24.4
-pkgrel=0
+pkgrel=1
 pkgdesc="Larry Wall's Practical Extraction and Report Language"
 url="http://www.perl.org/"
 arch="all"
@@ -14,9 +14,12 @@ depends_dev="perl-utils"
 makedepends="bzip2-dev zlib-dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl"
 source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz
+        CVE-2018-12015.patch
        "
 # secfixes:
+#   5.24.4-r1:
+#     - CVE-2018-12015
 #   5.24.3-r0:
 #     - CVE-2017-12837
 #     - CVE-2017-12883
@@ -136,4 +139,5 @@ utils() {
        done
 }
-sha512sums="796d92f47860ac0e3a22d85eb129549c4251445b3cfa8687e305c95f6205ad32a670e0d680e20245e47f0c6567b313748bce1db04208b21ff10595196e37a40b  perl-5.24.4.tar.gz"
+sha512sums="796d92f47860ac0e3a22d85eb129549c4251445b3cfa8687e305c95f6205ad32a670e0d680e20245e47f0c6567b313748bce1db04208b21ff10595196e37a40b  perl-5.24.4.tar.gz
+feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916  CVE-2018-12015.patch"
diff --git a/main/perl/CVE-2018-12015.patch b/main/perl/CVE-2018-12015.patch
new file mode 100644
index 0000000000..47493ce5d3
--- /dev/null
+++ b/main/perl/CVE-2018-12015.patch
@@ -0,0 +1,41 @@
+From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Jun 2018 11:45:40 +0100
+Subject: [PATCH] [PATCH] Remove existing files before overwriting them
+Archive should extract only the latest same-named entry.
+Extracted regular file should not be writtent into existing block
+device (or any other one).
+https://rt.cpan.org/Ticket/Display.html?id=125523
+Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
+---
+ lib/Archive/Tar.pm | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+         return;
+     }
+ 
+    ### If a file system already contains a block device with the same name as
+    ### the being extracted regular file, we would write the file's content
+    ### to the block device. So remove the existing file (block device) now.
+    ### If an archive contains multiple same-named entries, the last one
+    ### should replace the previous ones. So remove the old file now.
+    ### If the old entry is a symlink to a file outside of the CWD, the new
+    ### entry would create a file there. This is CVE-2018-12015
+    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
+    if (-l $full || -e _) {
+       if (!unlink $full) {
+           $self->_error( qq[Could not remove old file '$full': $!] );
+           return;
+       }
+    }
+     if( length $entry->type && $entry->is_file ) {
+         my $fh = IO::File->new;
+         $fh->open( $full, '>' ) or (
author	Leonardo Arena <rnalrd@alpinelinux.org>	2018-06-13 12:08:22 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-07-30 10:59:08 +0200
commit	ebf7fcd2b328ba5b15db2785fa1d46599fbc330f (patch)
tree	351cc1c29f4eda0fa9686cf6ec482ede01975c62
parent	602d91945a5a2a9e239d0dd0d65f7d8219105767 (diff)
download	alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.tar.bz2 alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.tar.xz alpine_aports-ebf7fcd2b328ba5b15db2785fa1d46599fbc330f.zip

diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD index 0e96380368..71f61d19ec 100644 --- a/main/perl/APKBUILD +++ b/main/perl/APKBUILD
@@ -3,7 +3,7 @@
3	# Contributor: Valery Kartel <valery.kartel@gmail.com>	3	# Contributor: Valery Kartel <valery.kartel@gmail.com>
4	pkgname=perl	4	pkgname=perl
5	pkgver=5.24.4	5	pkgver=5.24.4
6	pkgrel=0	6	pkgrel=1
7	pkgdesc="Larry Wall's Practical Extraction and Report Language"	7	pkgdesc="Larry Wall's Practical Extraction and Report Language"
8	url="http://www.perl.org/"	8	url="http://www.perl.org/"
9	arch="all"	9	arch="all"
@@ -14,9 +14,12 @@ depends_dev="perl-utils"
14	makedepends="bzip2-dev zlib-dev"	14	makedepends="bzip2-dev zlib-dev"
15	subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl"	15	subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl"
16	source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz	16	source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz
		17	CVE-2018-12015.patch
17	"	18	"
18		19
19	# secfixes:	20	# secfixes:
		21	# 5.24.4-r1:
		22	# - CVE-2018-12015
20	# 5.24.3-r0:	23	# 5.24.3-r0:
21	# - CVE-2017-12837	24	# - CVE-2017-12837
22	# - CVE-2017-12883	25	# - CVE-2017-12883
@@ -136,4 +139,5 @@ utils() {
136	done	139	done
137	}	140	}
138		141
139	sha512sums="796d92f47860ac0e3a22d85eb129549c4251445b3cfa8687e305c95f6205ad32a670e0d680e20245e47f0c6567b313748bce1db04208b21ff10595196e37a40b perl-5.24.4.tar.gz"	142	sha512sums="796d92f47860ac0e3a22d85eb129549c4251445b3cfa8687e305c95f6205ad32a670e0d680e20245e47f0c6567b313748bce1db04208b21ff10595196e37a40b perl-5.24.4.tar.gz
		143	feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916 CVE-2018-12015.patch"


diff --git a/main/perl/CVE-2018-12015.patch b/main/perl/CVE-2018-12015.patch new file mode 100644 index 0000000000..47493ce5d3 --- /dev/null +++ b/main/perl/CVE-2018-12015.patch
@@ -0,0 +1,41 @@
		1	From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
		3	Date: Fri, 8 Jun 2018 11:45:40 +0100
		4	Subject: [PATCH] [PATCH] Remove existing files before overwriting them
		5
		6	Archive should extract only the latest same-named entry.
		7	Extracted regular file should not be writtent into existing block
		8	device (or any other one).
		9
		10	https://rt.cpan.org/Ticket/Display.html?id=125523
		11
		12	Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
		13	---
		14	lib/Archive/Tar.pm \| 14 ++++++++++++++
		15	1 file changed, 14 insertions(+)
		16
		17	diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/lib/Archive/Tar.pm
		18	index 6244369..a83975f 100644
		19	--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
		20	+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
		21	@@ -845,6 +845,20 @@ sub _extract_file {
		22	return;
		23	}
		24
		25	+ ### If a file system already contains a block device with the same name as
		26	+ ### the being extracted regular file, we would write the file's content
		27	+ ### to the block device. So remove the existing file (block device) now.
		28	+ ### If an archive contains multiple same-named entries, the last one
		29	+ ### should replace the previous ones. So remove the old file now.
		30	+ ### If the old entry is a symlink to a file outside of the CWD, the new
		31	+ ### entry would create a file there. This is CVE-2018-12015
		32	+ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
		33	+ if (-l $full \|\| -e _) {
		34	+ if (!unlink $full) {
		35	+ $self->_error( qq[Could not remove old file '$full': $!] );
		36	+ return;
		37	+ }
		38	+ }
		39	if( length $entry->type && $entry->is_file ) {
		40	my $fh = IO::File->new;
		41	$fh->open( $full, '>' ) or (