pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2026Q1] pkgsrc/lang/perl5
Module Name: pkgsrc
Committed By: maya
Date: Tue Jun 9 22:30:58 UTC 2026
Modified Files:
pkgsrc/lang/perl5 [pkgsrc-2026Q1]: Makefile distinfo
Added Files:
pkgsrc/lang/perl5/patches [pkgsrc-2026Q1]:
patch-cpan_Archive-Tar_lib_Archive_Tar.pm patch-regcomp__study.c
Log Message:
Pullup ticket #7132 - requested by taca
lang/perl5: Security fix
Revisions pulled up:
- lang/perl5/Makefile 1.292-1.293
- lang/perl5/distinfo 1.197-1.198
- lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm 1.1
- lang/perl5/patches/patch-regcomp__study.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed May 27 22:28:20 UTC 2026
Modified Files:
pkgsrc/lang/perl5: Makefile distinfo
Added Files:
pkgsrc/lang/perl5/patches: patch-regcomp__study.c
Log Message:
perl: apply upstream security fix for regex on 32-bit systems.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed May 27 22:35:30 UTC 2026
Modified Files:
pkgsrc/lang/perl5: Makefile distinfo
Added Files:
pkgsrc/lang/perl5/patches: patch-cpan_Archive-Tar_lib_Archive_Tar.pm
Log Message:
perl: fix security problem in Archive::Tar
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via
attacker controlled entry size field in tar header
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.290.4.1 -r1.290.4.2 pkgsrc/lang/perl5/Makefile
cvs rdiff -u -r1.195.4.1 -r1.195.4.2 pkgsrc/lang/perl5/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm \
pkgsrc/lang/perl5/patches/patch-regcomp__study.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/perl5/Makefile
diff -u pkgsrc/lang/perl5/Makefile:1.290.4.1 pkgsrc/lang/perl5/Makefile:1.290.4.2
--- pkgsrc/lang/perl5/Makefile:1.290.4.1 Sun Apr 12 10:07:22 2026
+++ pkgsrc/lang/perl5/Makefile Tue Jun 9 22:30:58 2026
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.290.4.1 2026/04/12 10:07:22 bsiegert Exp $
+# $NetBSD: Makefile,v 1.290.4.2 2026/06/09 22:30:58 maya Exp $
.include "license.mk"
.include "Makefile.common"
COMMENT= Practical Extraction and Report Language
+PKGREVISION= 2
CONFLICTS+= perl-base-[0-9]* perl-thread-[0-9]*
Index: pkgsrc/lang/perl5/distinfo
diff -u pkgsrc/lang/perl5/distinfo:1.195.4.1 pkgsrc/lang/perl5/distinfo:1.195.4.2
--- pkgsrc/lang/perl5/distinfo:1.195.4.1 Sun Apr 12 10:07:22 2026
+++ pkgsrc/lang/perl5/distinfo Tue Jun 9 22:30:58 2026
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.195.4.1 2026/04/12 10:07:22 bsiegert Exp $
+$NetBSD: distinfo,v 1.195.4.2 2026/06/09 22:30:58 maya Exp $
BLAKE2s (perl-5.42.2.tar.gz) = a2e271ef18aa3cadeed75cf6bf48cfc30b8a9f6675053194f285cd13d97e0791
SHA512 (perl-5.42.2.tar.gz) = c17925b1146270310fbefd82a98bd94532b499a547f5be005ece204918bfc0034e473a97df643925625a940209f81a65acdd99857b3b18911461571230262c0f
Size (perl-5.42.2.tar.gz) = 20609653 bytes
SHA1 (patch-Configure) = 7e04b70aefcb66399679582a2f2e95306cf1e47b
SHA1 (patch-Makefile.SH) = 56203aea57c429a94760f039a978463b8859b0a9
+SHA1 (patch-cpan_Archive-Tar_lib_Archive_Tar.pm) = af896b3c8770d03c851fe1022ed1348857b1b4cc
SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__BeOS.pm) = 79e5aeccfa272ca5ec08bffc616d8053ae90ac51
SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__Unix.pm) = 996556f221eb0c75c316315462bf6cea6746e030
SHA1 (patch-cpan_ExtUtils-MakeMaker_t_MM__BeOS.t) = 9b0e7ab85fdab4887b1754599a8879bd7d9f36cc
@@ -13,3 +14,4 @@ SHA1 (patch-hints_linux.sh) = 4baa8f8069
SHA1 (patch-hints_netbsd.sh) = cb498170c18f1f429eed9be245cd1df24c7ad628
SHA1 (patch-hints_solaris__2.sh) = 83b20650435ea3b62314af6059f3d82c3dd6b0a2
SHA1 (patch-installperl) = b129d64cc17b898b44fe6282b8b1df36e342d0ef
+SHA1 (patch-regcomp__study.c) = 385a4441d7c4513b196b57676d635214f8232c3b
Added files:
Index: pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm
diff -u /dev/null pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm:1.1.2.2
--- /dev/null Tue Jun 9 22:30:58 2026
+++ pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm Tue Jun 9 22:30:58 2026
@@ -0,0 +1,54 @@
+$NetBSD: patch-cpan_Archive-Tar_lib_Archive_Tar.pm,v 1.1.2.2 2026/06/09 22:30:58 maya Exp $
+
+Archive::Tar versions before 3.10 for Perl allow memory exhaustion via
+attacker controlled entry size field in tar header.
+https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7.patch
+
+--- cpan/Archive-Tar/lib/Archive/Tar.pm.orig 2026-01-18 16:32:21.000000000 +0000
++++ cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -24,7 +24,7 @@ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLI
+ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD
+ $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING $SAME_PERMISSIONS
+ $INSECURE_EXTRACT_MODE $ZERO_PAD_NUMBERS @ISA @EXPORT $RESOLVE_SYMLINK
+- $EXTRACT_BLOCK_SIZE
++ $EXTRACT_BLOCK_SIZE $MAX_FILE_SIZE
+ ];
+
+ @ISA = qw[Exporter];
+@@ -41,6 +41,7 @@ $EXTRACT_BLOCK_SIZE = 1024 * 1024 * 1024;
+ $ZERO_PAD_NUMBERS = 0;
+ $RESOLVE_SYMLINK = $ENV{'PERL5_AT_RESOLVE_SYMLINK'} || 'speed';
+ $EXTRACT_BLOCK_SIZE = 1024 * 1024 * 1024;
++$MAX_FILE_SIZE = 1024 * 1024 * 1024;
+
+ BEGIN {
+ use Config;
+@@ -444,6 +445,14 @@ sub _read_tar {
+
+ my $block = BLOCK_SIZE->( $entry->size );
+
++ if ( $MAX_FILE_SIZE && $entry->size > $MAX_FILE_SIZE ) {
++ $self->_error( qq[Entry '] . $entry->full_path .
++ qq[' declared size ] . $entry->size .
++ qq[ bytes exceeds \$Archive::Tar::MAX_FILE_SIZE ] .
++ qq[($MAX_FILE_SIZE); refusing to allocate] );
++ next LOOP;
++ }
++
+ $data = $entry->get_content_by_ref;
+
+ my $skip = 0;
+@@ -2186,6 +2195,13 @@ extraction may fail with an error.
+ cannot be arbitrarily large since some operating systems limit the number of
+ bytes that can be written in one call to C<write(2)>, so if this is too large,
+ extraction may fail with an error.
++
++=head2 $Archive::Tar::MAX_FILE_SIZE
++
++This variable holds an upper bound on the per-entry declared size that
++C<Archive::Tar> will accept when reading an archive. Entries whose header
++claims a larger size are refused with an error before any read allocation.
++Defaults to 1 GiB. Set to 0 to disable the cap.
+
+ =cut
+
Index: pkgsrc/lang/perl5/patches/patch-regcomp__study.c
diff -u /dev/null pkgsrc/lang/perl5/patches/patch-regcomp__study.c:1.1.2.2
--- /dev/null Tue Jun 9 22:30:58 2026
+++ pkgsrc/lang/perl5/patches/patch-regcomp__study.c Tue Jun 9 22:30:58 2026
@@ -0,0 +1,21 @@
+$NetBSD: patch-regcomp__study.c,v 1.1.2.2 2026/06/09 22:30:58 maya Exp $
+
+Perl/perl-security#147: test against the actual character lengths
+https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c
+
+--- regcomp_study.c.orig 2026-01-18 17:50:04.000000000 +0000
++++ regcomp_study.c
+@@ -2770,6 +2770,13 @@ Perl_study_chunk(pTHX_
+ (U8 *) SvEND(data->last_found))
+ - (U8*)s;
+ l -= old;
++
++ if (l > 0 &&
++ (mincount >= SSize_t_MAX / (SSize_t)l
++ || old > SSize_t_MAX - mincount * (SSize_t)l)) {
++ FAIL("Regexp out of space");
++ }
++
+ /* Get the added string: */
+ last_str = newSVpvn_utf8(s + old, l, UTF);
+ last_chrs = UTF ? utf8_length((U8*)(s + old),
Home |
Main Index |
Thread Index |
Old Index