summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch36
-rw-r--r--gnu/packages/patches/perl-deterministic-ordering.patch6
-rw-r--r--gnu/packages/patches/perl-file-path-CVE-2017-6512.patch173
-rw-r--r--gnu/packages/perl.scm6
5 files changed, 5 insertions, 218 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 80e2a43868..41a10f5916 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1001,8 +1001,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/perf-gcc-ice.patch			\
-  %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch	\
-  %D%/packages/patches/perl-file-path-CVE-2017-6512.patch	\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
deleted file mode 100644
index 6460cf5855..0000000000
--- a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix CVE-2018-12015:
-
-https://security-tracker.debian.org/tracker/CVE-2018-12015
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
-https://rt.cpan.org/Ticket/Display.html?id=125523
-
-Patch taken from this upstream commit and adapted to apply to
-the bundled copy in the Perl distribution:
-
-https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
-
-diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
-index 6244369..a83975f 100644
---- a/cpan/Archive-Tar/lib/Archive/Tar.pm
-+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
-@@ -845,6 +845,20 @@ sub _extract_file {
-         return;
-     }
- 
-+    ### If a file system already contains a block device with the same name as
-+    ### the being extracted regular file, we would write the file's content
-+    ### to the block device. So remove the existing file (block device) now.
-+    ### If an archive contains multiple same-named entries, the last one
-+    ### should replace the previous ones. So remove the old file now.
-+    ### If the old entry is a symlink to a file outside of the CWD, the new
-+    ### entry would create a file there. This is CVE-2018-12015
-+    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
-+    if (-l $full || -e _) {
-+	if (!unlink $full) {
-+	    $self->_error( qq[Could not remove old file '$full': $!] );
-+	    return;
-+	}
-+    }
-     if( length $entry->type && $entry->is_file ) {
-         my $fh = IO::File->new;
-         $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/patches/perl-deterministic-ordering.patch b/gnu/packages/patches/perl-deterministic-ordering.patch
index 92e33ef135..be63d5cde3 100644
--- a/gnu/packages/patches/perl-deterministic-ordering.patch
+++ b/gnu/packages/patches/perl-deterministic-ordering.patch
@@ -12,10 +12,10 @@ reproducibility.
  cpan/Devel-PPPort/PPPort_xs.PL | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/cpan/Devel-PPPort/PPPort_xs.PL b/cpan/Devel-PPPort/PPPort_xs.PL
+diff --git a/dist/Devel-PPPort/PPPort_xs.PL b/dist/Devel-PPPort/PPPort_xs.PL
 index 5f18940..149f2fe 100644
---- a/cpan/Devel-PPPort/PPPort_xs.PL
-+++ b/cpan/Devel-PPPort/PPPort_xs.PL
+--- a/dist/Devel-PPPort/PPPort_xs.PL
++++ b/dist/Devel-PPPort/PPPort_xs.PL
 @@ -38,7 +38,7 @@ END
  my $file;
  my $sec;
diff --git a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
deleted file mode 100644
index 28ab067599..0000000000
--- a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-Fix CVE-2017-6512:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512
-https://rt.cpan.org/Public/Bug/Display.html?id=121951
-
-Patch copied from Debian, adapted to apply to the copy of File::Path in Perl
-5.24.0.
-
-https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2
-https://anonscm.debian.org/cgit/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=e7b50f8fb6413f8ddfbbfda2d531615fb029e2d3
-
-From d760748be0efca7c05454440e24f3df77bf7cf5d Mon Sep 17 00:00:00 2001
-From: John Lightsey <john@nixnuts.net>
-Date: Tue, 2 May 2017 12:03:52 -0500
-Subject: Prevent directory chmod race attack.
-
-CVE-2017-6512 is a race condition attack where the chmod() of directories
-that cannot be entered is misused to change the permissions on other
-files or directories on the system. This has been corrected by limiting
-the directory-permission loosening logic to systems where fchmod() is
-supported.
-
-[Backported (whitespace adjustments) to File-Path 2.12 / perl 5.24 by
-Dominic Hargreaves for Debian.]
-
-Bug: https://rt.cpan.org/Public/Bug/Display.html?id=121951
-Bug-Debian: https://bugs.debian.org/863870
-Patch-Name: fixes/file_path_chmod_race.diff
----
- cpan/File-Path/lib/File/Path.pm | 39 +++++++++++++++++++++++++--------------
- cpan/File-Path/t/Path.t         | 40 ++++++++++++++++++++++++++--------------
- 2 files changed, 51 insertions(+), 28 deletions(-)
-
-diff --git a/cpan/File-Path/lib/File/Path.pm b/cpan/File-Path/lib/File/Path.pm
-index 034da1e..a824cc8 100644
---- a/cpan/File-Path/lib/File/Path.pm
-+++ b/cpan/File-Path/lib/File/Path.pm
-@@ -354,21 +354,32 @@ sub _rmtree {
- 
-                 # see if we can escalate privileges to get in
-                 # (e.g. funny protection mask such as -w- instead of rwx)
--                $perm &= oct '7777';
--                my $nperm = $perm | oct '700';
--                if (
--                    !(
--                           $arg->{safe}
--                        or $nperm == $perm
--                        or chmod( $nperm, $root )
--                    )
--                  )
--                {
--                    _error( $arg,
--                        "cannot make child directory read-write-exec", $canon );
--                    next ROOT_DIR;
-+                # This uses fchmod to avoid traversing outside of the proper
-+                # location (CVE-2017-6512)
-+                my $root_fh;
-+                if (open($root_fh, '<', $root)) {
-+                    my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1];
-+                    $perm &= oct '7777';
-+                    my $nperm = $perm | oct '700';
-+                    local $@;
-+                    if (
-+                        !(
-+                            $arg->{safe}
-+                           or $nperm == $perm
-+                           or !-d _
-+                           or $fh_dev ne $ldev
-+                           or $fh_inode ne $lino
-+                           or eval { chmod( $nperm, $root_fh ) }
-+                        )
-+                      )
-+                    {
-+                        _error( $arg,
-+                            "cannot make child directory read-write-exec", $canon );
-+                        next ROOT_DIR;
-+                    }
-+                    close $root_fh;
-                 }
--                elsif ( !chdir($root) ) {
-+                if ( !chdir($root) ) {
-                     _error( $arg, "cannot chdir to child", $canon );
-                     next ROOT_DIR;
-                 }
-diff --git a/cpan/File-Path/t/Path.t b/cpan/File-Path/t/Path.t
-index ff52fd6..956ca09 100644
---- a/cpan/File-Path/t/Path.t
-+++ b/cpan/File-Path/t/Path.t
-@@ -3,7 +3,7 @@
- 
- use strict;
- 
--use Test::More tests => 127;
-+use Test::More tests => 126;
- use Config;
- use Fcntl ':mode';
- use lib 't/';
-@@ -18,6 +18,13 @@ BEGIN {
- 
- my $Is_VMS = $^O eq 'VMS';
- 
-+my $fchmod_supported = 0;
-+if (open my $fh, curdir()) {
-+    my ($perm) = (stat($fh))[2];
-+    $perm &= 07777;
-+    eval { $fchmod_supported = chmod( $perm, $fh); };
-+}
-+
- # first check for stupid permissions second for full, so we clean up
- # behind ourselves
- for my $perm (0111,0777) {
-@@ -299,16 +306,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check");
- 
- is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef");
- 
--$dir = catdir($tmp_base,'G');
--$dir = VMS::Filespec::unixify($dir) if $Is_VMS;
-+SKIP: {
-+    skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported;
-+    $dir = catdir($tmp_base,'G');
-+    $dir = VMS::Filespec::unixify($dir) if $Is_VMS;
- 
--@created = mkpath($dir, undef, 0200);
-+    @created = mkpath($dir, undef, 0400);
- 
--is(scalar(@created), 1, "created write-only dir");
-+    is(scalar(@created), 1, "created read-only dir");
- 
--is($created[0], $dir, "created write-only directory cross-check");
-+    is($created[0], $dir, "created read-only directory cross-check");
- 
--is(rmtree($dir), 1, "removed write-only dir");
-+    is(rmtree($dir), 1, "removed read-only dir");
-+}
- 
- # borderline new-style heuristics
- if (chdir $tmp_base) {
-@@ -450,26 +460,28 @@ SKIP: {
- }
- 
- SKIP : {
--    my $skip_count = 19;
-+    my $skip_count = 18;
-     # this test will fail on Windows, as per:
-     #   http://perldoc.perl.org/perlport.html#chmod
- 
-     skip "Windows chmod test skipped", $skip_count
-         if $^O eq 'MSWin32';
-+    skip "fchmod() on directories is not supported on this platform", $skip_count
-+        unless $fchmod_supported;
-     my $mode;
-     my $octal_mode;
-     my @inputs = (
--      0777, 0700, 0070, 0007,
--      0333, 0300, 0030, 0003,
--      0111, 0100, 0010, 0001,
--      0731, 0713, 0317, 0371, 0173, 0137,
--      00 );
-+      0777, 0700, 0470, 0407,
-+      0433, 0400, 0430, 0403,
-+      0111, 0100, 0110, 0101,
-+      0731, 0713, 0317, 0371,
-+      0173, 0137);
-     my $input;
-     my $octal_input;
--    $dir = catdir($tmp_base, 'chmod_test');
- 
-     foreach (@inputs) {
-         $input = $_;
-+        $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input));
-         # We can skip from here because 0 is last in the list.
-         skip "Mode of 0 means assume user defaults on VMS", 1
-           if ($input == 0 && $Is_VMS);
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 27b49e6652..3eb5b1eacf 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -61,18 +61,16 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.26.2")
+    (version "5.28.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://cpan/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))
+               "1a3f822lcl8dr8v0hk80yyhpzqlljg49z9flb48rs3nbsij9z4ky"))
              (patches (search-patches
-                       "perl-file-path-CVE-2017-6512.patch"
                        "perl-no-sys-dirs.patch"
-                       "perl-archive-tar-CVE-2018-12015.patch"
                        "perl-autosplit-default-time.patch"
                        "perl-deterministic-ordering.patch"
                        "perl-reproducible-build-date.patch"))))