From 203795aceaabec0e0e5818e1650ad407d825d1b3 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 12 Jan 2016 13:12:07 -0500 Subject: gnu: perl: Add fix for CVE-2015-8607. * gnu/packages/patches/perl-CVE-2015-8607.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/perl.scm (perl)[source]: Add patch. --- gnu-system.am | 3 +- gnu/packages/patches/perl-CVE-2015-8607.patch | 68 +++++++++++++++++++++++++++ gnu/packages/perl.scm | 3 +- 3 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/perl-CVE-2015-8607.patch diff --git a/gnu-system.am b/gnu-system.am index 0f0fabc302..112e404ffb 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -1,7 +1,7 @@ # GNU Guix --- Functional package management for GNU # Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès # Copyright © 2013, 2014, 2015 Andreas Enge -# Copyright © 2013, 2014, 2015 Mark H Weaver +# Copyright © 2013, 2014, 2015, 2016 Mark H Weaver # # This file is part of GNU Guix. # @@ -612,6 +612,7 @@ dist_patch_DATA = \ gnu/packages/patches/patchelf-rework-for-arm.patch \ gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \ gnu/packages/patches/patch-hurd-path-max.patch \ + gnu/packages/patches/perl-CVE-2015-8607.patch \ gnu/packages/patches/perl-autosplit-default-time.patch \ gnu/packages/patches/perl-deterministic-ordering.patch \ gnu/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch new file mode 100644 index 0000000000..4c25d41740 --- /dev/null +++ b/gnu/packages/patches/perl-CVE-2015-8607.patch @@ -0,0 +1,68 @@ +From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Tue, 15 Dec 2015 10:56:54 +1100 +Subject: ensure File::Spec::canonpath() preserves taint + +Previously the unix specific XS implementation of canonpath() would +return an untainted path when supplied a tainted path. + +For the empty string case, newSVpvs() already sets taint as needed on +its result. + +This issue was assigned CVE-2015-8607. + +Bug: https://rt.perl.org/Ticket/Display.html?id=126862 +Bug-Debian: https://bugs.debian.org/810719 +Origin: upstream +Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff +--- + dist/PathTools/Cwd.xs | 1 + + dist/PathTools/t/taint.t | 19 ++++++++++++++++++- + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs +index 9d4dcf0..3d018dc 100644 +--- a/dist/PathTools/Cwd.xs ++++ b/dist/PathTools/Cwd.xs +@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path) + *o = 0; + SvPOK_on(retval); + SvCUR_set(retval, o - SvPVX(retval)); ++ SvTAINT(retval); + return retval; + } + +diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t +index 309b3e5..48f8c5b 100644 +--- a/dist/PathTools/t/taint.t ++++ b/dist/PathTools/t/taint.t +@@ -12,7 +12,7 @@ use Test::More; + BEGIN { + plan( + ${^TAINT} +- ? (tests => 17) ++ ? (tests => 21) + : (skip_all => "A perl without taint support") + ); + } +@@ -34,3 +34,20 @@ foreach my $func (@Functions) { + + # Previous versions of Cwd tainted $^O + is !tainted($^O), 1, "\$^O should not be tainted"; ++ ++{ ++ # [perl #126862] canonpath() loses taint ++ my $tainted = substr($ENV{PATH}, 0, 0); ++ # yes, getcwd()'s result should be tainted, and is tested above ++ # but be sure ++ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)), ++ "canonpath() keeps taint on non-empty string"; ++ ok tainted(File::Spec->canonpath($tainted)), ++ "canonpath() keeps taint on empty string"; ++ ++ (Cwd::getcwd() =~ /^(.*)/); ++ my $untainted = $1; ++ ok !tainted($untainted), "make sure our untainted value is untainted"; ++ ok !tainted(File::Spec->canonpath($untainted)), ++ "canonpath() doesn't add taint to untainted string"; ++} diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index 86a979f9fc..162fc9b8f3 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -51,7 +51,8 @@ "perl-autosplit-default-time.patch" "perl-source-date-epoch.patch" "perl-deterministic-ordering.patch" - "perl-no-build-time.patch"))))) + "perl-no-build-time.patch" + "perl-CVE-2015-8607.patch"))))) (build-system gnu-build-system) (arguments '(#:tests? #f -- cgit v1.2.3