diff --git a/gnu/local.mk b/gnu/local.mk index 80e2a43868..41a10f5916 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1001,8 +1001,6 @@ dist_patch_DATA = \ %D%/packages/patches/patchutils-xfail-gendiff-tests.patch \ %D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/perf-gcc-ice.patch \ - %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch \ - %D%/packages/patches/perl-file-path-CVE-2017-6512.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \ diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch deleted file mode 100644 index 6460cf5855..0000000000 --- a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch +++ /dev/null @@ -1,36 +0,0 @@ -Fix CVE-2018-12015: - -https://security-tracker.debian.org/tracker/CVE-2018-12015 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015 -https://rt.cpan.org/Ticket/Display.html?id=125523 - -Patch taken from this upstream commit and adapted to apply to -the bundled copy in the Perl distribution: - -https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 - -diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm -index 6244369..a83975f 100644 ---- a/cpan/Archive-Tar/lib/Archive/Tar.pm -+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm -@@ -845,6 +845,20 @@ sub _extract_file { - return; - } - -+ ### If a file system already contains a block device with the same name as -+ ### the being extracted regular file, we would write the file's content -+ ### to the block device. So remove the existing file (block device) now. -+ ### If an archive contains multiple same-named entries, the last one -+ ### should replace the previous ones. So remove the old file now. -+ ### If the old entry is a symlink to a file outside of the CWD, the new -+ ### entry would create a file there. This is CVE-2018-12015 -+ ### . -+ if (-l $full || -e _) { -+ if (!unlink $full) { -+ $self->_error( qq[Could not remove old file '$full': $!] ); -+ return; -+ } -+ } - if( length $entry->type && $entry->is_file ) { - my $fh = IO::File->new; - $fh->open( $full, '>' ) or ( diff --git a/gnu/packages/patches/perl-deterministic-ordering.patch b/gnu/packages/patches/perl-deterministic-ordering.patch index 92e33ef135..be63d5cde3 100644 --- a/gnu/packages/patches/perl-deterministic-ordering.patch +++ b/gnu/packages/patches/perl-deterministic-ordering.patch @@ -12,10 +12,10 @@ reproducibility. cpan/Devel-PPPort/PPPort_xs.PL | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/cpan/Devel-PPPort/PPPort_xs.PL b/cpan/Devel-PPPort/PPPort_xs.PL +diff --git a/dist/Devel-PPPort/PPPort_xs.PL b/dist/Devel-PPPort/PPPort_xs.PL index 5f18940..149f2fe 100644 ---- a/cpan/Devel-PPPort/PPPort_xs.PL -+++ b/cpan/Devel-PPPort/PPPort_xs.PL +--- a/dist/Devel-PPPort/PPPort_xs.PL ++++ b/dist/Devel-PPPort/PPPort_xs.PL @@ -38,7 +38,7 @@ END my $file; my $sec; diff --git a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch deleted file mode 100644 index 28ab067599..0000000000 --- a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch +++ /dev/null @@ -1,173 +0,0 @@ -Fix CVE-2017-6512: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512 -https://rt.cpan.org/Public/Bug/Display.html?id=121951 - -Patch copied from Debian, adapted to apply to the copy of File::Path in Perl -5.24.0. - -https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2 -https://anonscm.debian.org/cgit/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=e7b50f8fb6413f8ddfbbfda2d531615fb029e2d3 - -From d760748be0efca7c05454440e24f3df77bf7cf5d Mon Sep 17 00:00:00 2001 -From: John Lightsey -Date: Tue, 2 May 2017 12:03:52 -0500 -Subject: Prevent directory chmod race attack. - -CVE-2017-6512 is a race condition attack where the chmod() of directories -that cannot be entered is misused to change the permissions on other -files or directories on the system. This has been corrected by limiting -the directory-permission loosening logic to systems where fchmod() is -supported. - -[Backported (whitespace adjustments) to File-Path 2.12 / perl 5.24 by -Dominic Hargreaves for Debian.] - -Bug: https://rt.cpan.org/Public/Bug/Display.html?id=121951 -Bug-Debian: https://bugs.debian.org/863870 -Patch-Name: fixes/file_path_chmod_race.diff ---- - cpan/File-Path/lib/File/Path.pm | 39 +++++++++++++++++++++++++-------------- - cpan/File-Path/t/Path.t | 40 ++++++++++++++++++++++++++-------------- - 2 files changed, 51 insertions(+), 28 deletions(-) - -diff --git a/cpan/File-Path/lib/File/Path.pm b/cpan/File-Path/lib/File/Path.pm -index 034da1e..a824cc8 100644 ---- a/cpan/File-Path/lib/File/Path.pm -+++ b/cpan/File-Path/lib/File/Path.pm -@@ -354,21 +354,32 @@ sub _rmtree { - - # see if we can escalate privileges to get in - # (e.g. funny protection mask such as -w- instead of rwx) -- $perm &= oct '7777'; -- my $nperm = $perm | oct '700'; -- if ( -- !( -- $arg->{safe} -- or $nperm == $perm -- or chmod( $nperm, $root ) -- ) -- ) -- { -- _error( $arg, -- "cannot make child directory read-write-exec", $canon ); -- next ROOT_DIR; -+ # This uses fchmod to avoid traversing outside of the proper -+ # location (CVE-2017-6512) -+ my $root_fh; -+ if (open($root_fh, '<', $root)) { -+ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1]; -+ $perm &= oct '7777'; -+ my $nperm = $perm | oct '700'; -+ local $@; -+ if ( -+ !( -+ $arg->{safe} -+ or $nperm == $perm -+ or !-d _ -+ or $fh_dev ne $ldev -+ or $fh_inode ne $lino -+ or eval { chmod( $nperm, $root_fh ) } -+ ) -+ ) -+ { -+ _error( $arg, -+ "cannot make child directory read-write-exec", $canon ); -+ next ROOT_DIR; -+ } -+ close $root_fh; - } -- elsif ( !chdir($root) ) { -+ if ( !chdir($root) ) { - _error( $arg, "cannot chdir to child", $canon ); - next ROOT_DIR; - } -diff --git a/cpan/File-Path/t/Path.t b/cpan/File-Path/t/Path.t -index ff52fd6..956ca09 100644 ---- a/cpan/File-Path/t/Path.t -+++ b/cpan/File-Path/t/Path.t -@@ -3,7 +3,7 @@ - - use strict; - --use Test::More tests => 127; -+use Test::More tests => 126; - use Config; - use Fcntl ':mode'; - use lib 't/'; -@@ -18,6 +18,13 @@ BEGIN { - - my $Is_VMS = $^O eq 'VMS'; - -+my $fchmod_supported = 0; -+if (open my $fh, curdir()) { -+ my ($perm) = (stat($fh))[2]; -+ $perm &= 07777; -+ eval { $fchmod_supported = chmod( $perm, $fh); }; -+} -+ - # first check for stupid permissions second for full, so we clean up - # behind ourselves - for my $perm (0111,0777) { -@@ -299,16 +306,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check"); - - is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef"); - --$dir = catdir($tmp_base,'G'); --$dir = VMS::Filespec::unixify($dir) if $Is_VMS; -+SKIP: { -+ skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported; -+ $dir = catdir($tmp_base,'G'); -+ $dir = VMS::Filespec::unixify($dir) if $Is_VMS; - --@created = mkpath($dir, undef, 0200); -+ @created = mkpath($dir, undef, 0400); - --is(scalar(@created), 1, "created write-only dir"); -+ is(scalar(@created), 1, "created read-only dir"); - --is($created[0], $dir, "created write-only directory cross-check"); -+ is($created[0], $dir, "created read-only directory cross-check"); - --is(rmtree($dir), 1, "removed write-only dir"); -+ is(rmtree($dir), 1, "removed read-only dir"); -+} - - # borderline new-style heuristics - if (chdir $tmp_base) { -@@ -450,26 +460,28 @@ SKIP: { - } - - SKIP : { -- my $skip_count = 19; -+ my $skip_count = 18; - # this test will fail on Windows, as per: - # http://perldoc.perl.org/perlport.html#chmod - - skip "Windows chmod test skipped", $skip_count - if $^O eq 'MSWin32'; -+ skip "fchmod() on directories is not supported on this platform", $skip_count -+ unless $fchmod_supported; - my $mode; - my $octal_mode; - my @inputs = ( -- 0777, 0700, 0070, 0007, -- 0333, 0300, 0030, 0003, -- 0111, 0100, 0010, 0001, -- 0731, 0713, 0317, 0371, 0173, 0137, -- 00 ); -+ 0777, 0700, 0470, 0407, -+ 0433, 0400, 0430, 0403, -+ 0111, 0100, 0110, 0101, -+ 0731, 0713, 0317, 0371, -+ 0173, 0137); - my $input; - my $octal_input; -- $dir = catdir($tmp_base, 'chmod_test'); - - foreach (@inputs) { - $input = $_; -+ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input)); - # We can skip from here because 0 is last in the list. - skip "Mode of 0 means assume user defaults on VMS", 1 - if ($input == 0 && $Is_VMS); diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index 27b49e6652..3eb5b1eacf 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -61,18 +61,16 @@ ;; Yeah, Perl... It is required early in the bootstrap process by Linux. (package (name "perl") - (version "5.26.2") + (version "5.28.0") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/src/5.0/perl-" version ".tar.gz")) (sha256 (base32 - "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp")) + "1a3f822lcl8dr8v0hk80yyhpzqlljg49z9flb48rs3nbsij9z4ky")) (patches (search-patches - "perl-file-path-CVE-2017-6512.patch" "perl-no-sys-dirs.patch" - "perl-archive-tar-CVE-2018-12015.patch" "perl-autosplit-default-time.patch" "perl-deterministic-ordering.patch" "perl-reproducible-build-date.patch"))))