CVS commit: pkgsrc/lang/perl5

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang/perl5
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Wed, 27 May 2026 22:35:30 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Wed May 27 22:35:30 UTC 2026

Modified Files:
        pkgsrc/lang/perl5: Makefile distinfo
Added Files:
        pkgsrc/lang/perl5/patches: patch-cpan_Archive-Tar_lib_Archive_Tar.pm

Log Message:
perl: fix security problem in Archive::Tar

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via
attacker controlled entry size field in tar header

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.292 -r1.293 pkgsrc/lang/perl5/Makefile
cvs rdiff -u -r1.197 -r1.198 pkgsrc/lang/perl5/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/perl5/Makefile
diff -u pkgsrc/lang/perl5/Makefile:1.292 pkgsrc/lang/perl5/Makefile:1.293
--- pkgsrc/lang/perl5/Makefile:1.292    Wed May 27 22:28:20 2026
+++ pkgsrc/lang/perl5/Makefile  Wed May 27 22:35:30 2026
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.292 2026/05/27 22:28:20 wiz Exp $
+# $NetBSD: Makefile,v 1.293 2026/05/27 22:35:30 wiz Exp $
 
 .include "license.mk"
 .include "Makefile.common"
 
 COMMENT=       Practical Extraction and Report Language
-PKGREVISION=   1
+PKGREVISION=   2
 
 CONFLICTS+=    perl-base-[0-9]* perl-thread-[0-9]*
 

Index: pkgsrc/lang/perl5/distinfo
diff -u pkgsrc/lang/perl5/distinfo:1.197 pkgsrc/lang/perl5/distinfo:1.198
--- pkgsrc/lang/perl5/distinfo:1.197    Wed May 27 22:28:20 2026
+++ pkgsrc/lang/perl5/distinfo  Wed May 27 22:35:30 2026
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.197 2026/05/27 22:28:20 wiz Exp $
+$NetBSD: distinfo,v 1.198 2026/05/27 22:35:30 wiz Exp $
 
 BLAKE2s (perl-5.42.2.tar.gz) = a2e271ef18aa3cadeed75cf6bf48cfc30b8a9f6675053194f285cd13d97e0791
 SHA512 (perl-5.42.2.tar.gz) = c17925b1146270310fbefd82a98bd94532b499a547f5be005ece204918bfc0034e473a97df643925625a940209f81a65acdd99857b3b18911461571230262c0f
 Size (perl-5.42.2.tar.gz) = 20609653 bytes
 SHA1 (patch-Configure) = 7e04b70aefcb66399679582a2f2e95306cf1e47b
 SHA1 (patch-Makefile.SH) = 56203aea57c429a94760f039a978463b8859b0a9
+SHA1 (patch-cpan_Archive-Tar_lib_Archive_Tar.pm) = af896b3c8770d03c851fe1022ed1348857b1b4cc
 SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__BeOS.pm) = 79e5aeccfa272ca5ec08bffc616d8053ae90ac51
 SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__Unix.pm) = 996556f221eb0c75c316315462bf6cea6746e030
 SHA1 (patch-cpan_ExtUtils-MakeMaker_t_MM__BeOS.t) = 9b0e7ab85fdab4887b1754599a8879bd7d9f36cc

Added files:

Index: pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm
diff -u /dev/null pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm:1.1
--- /dev/null   Wed May 27 22:35:30 2026
+++ pkgsrc/lang/perl5/patches/patch-cpan_Archive-Tar_lib_Archive_Tar.pm Wed May 27 22:35:30 2026
@@ -0,0 +1,54 @@
+$NetBSD: patch-cpan_Archive-Tar_lib_Archive_Tar.pm,v 1.1 2026/05/27 22:35:30 wiz Exp $
+
+Archive::Tar versions before 3.10 for Perl allow memory exhaustion via
+attacker controlled entry size field in tar header.
+https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7.patch
+
+--- cpan/Archive-Tar/lib/Archive/Tar.pm.orig   2026-01-18 16:32:21.000000000 +0000
++++ cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -24,7 +24,7 @@ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLI
+ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD
+             $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING $SAME_PERMISSIONS
+             $INSECURE_EXTRACT_MODE $ZERO_PAD_NUMBERS @ISA @EXPORT $RESOLVE_SYMLINK
+-            $EXTRACT_BLOCK_SIZE
++            $EXTRACT_BLOCK_SIZE $MAX_FILE_SIZE
+          ];
+ 
+ @ISA                    = qw[Exporter];
+@@ -41,6 +41,7 @@ $EXTRACT_BLOCK_SIZE     = 1024 * 1024 * 1024;
+ $ZERO_PAD_NUMBERS       = 0;
+ $RESOLVE_SYMLINK        = $ENV{'PERL5_AT_RESOLVE_SYMLINK'} || 'speed';
+ $EXTRACT_BLOCK_SIZE     = 1024 * 1024 * 1024;
++$MAX_FILE_SIZE          = 1024 * 1024 * 1024;
+ 
+ BEGIN {
+     use Config;
+@@ -444,6 +445,14 @@ sub _read_tar {
+ 
+             my $block = BLOCK_SIZE->( $entry->size );
+ 
++            if ( $MAX_FILE_SIZE && $entry->size > $MAX_FILE_SIZE ) {
++                $self->_error( qq[Entry '] . $entry->full_path .
++                    qq[' declared size ] . $entry->size .
++                    qq[ bytes exceeds \$Archive::Tar::MAX_FILE_SIZE ] .
++                    qq[($MAX_FILE_SIZE); refusing to allocate] );
++                next LOOP;
++            }
++
+             $data = $entry->get_content_by_ref;
+ 
+           my $skip = 0;
+@@ -2186,6 +2195,13 @@ extraction may fail with an error.
+ cannot be arbitrarily large since some operating systems limit the number of
+ bytes that can be written in one call to C<write(2)>, so if this is too large,
+ extraction may fail with an error.
++
++=head2 $Archive::Tar::MAX_FILE_SIZE
++
++This variable holds an upper bound on the per-entry declared size that
++C<Archive::Tar> will accept when reading an archive. Entries whose header
++claims a larger size are refused with an error before any read allocation.
++Defaults to 1 GiB. Set to 0 to disable the cap.
+ 
+ =cut
+

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index