| Message ID | 20260623060344.339663-1-hprajapati@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap] perl: fix for CVE-2026-42496 | expand |
On Tue Jun 23, 2026 at 8:03 AM CEST, Hitendra Prajapati via lists.openembedded.org wrote: > Pick patch from [1] also mentioned at NVD report in [2] > > [1] https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-42496 > [3] https://security-tracker.debian.org/tracker/CVE-2026-42496 > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- Hello, Is that needed for wrynose and master? Since this is vendored in perl, this is not trivial to check. Thanks! > .../perl/files/CVE-2026-42496.patch | 86 +++++++++++++++++++ > meta/recipes-devtools/perl/perl_5.38.4.bb | 1 + > 2 files changed, 87 insertions(+) > create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-42496.patch > > diff --git a/meta/recipes-devtools/perl/files/CVE-2026-42496.patch b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch > new file mode 100644 > index 0000000000..34d59d9363 > --- /dev/null > +++ b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch > @@ -0,0 +1,86 @@ > +From 17c873492a05eddc0de18c1485e0b2cccd5a9158 Mon Sep 17 00:00:00 2001 > +From: Stig Palmquist <stig@stig.io> > +Date: Thu, 21 May 2026 19:59:21 +0100 > +Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE > + > +Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk> > + > +CVE: CVE-2026-42496 > +Upstream-Status: Backport [https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158] > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + cpan/Archive-Tar/lib/Archive/Tar.pm | 30 +++++++++++++++++++++++++ > + cpan/Archive-Tar/t/04_resolved_issues.t | 2 ++ > + 2 files changed, 32 insertions(+) > + > +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm > +index 476e646..4c73823 100644 > +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm > ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm > +@@ -944,6 +944,19 @@ sub _make_special_file { > + my $err; > + > + if( $entry->is_symlink ) { > ++ if( !$INSECURE_EXTRACT_MODE ) { > ++ my $linkname = $entry->linkname; > ++ if( File::Spec->file_name_is_absolute($linkname) ) { > ++ $self->_error( qq[Symlink '] . $entry->full_path . > ++ qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] ); > ++ return; > ++ } > ++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) { > ++ $self->_error( qq[Symlink '] . $entry->full_path . > ++ qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] ); > ++ return; > ++ } > ++ } > + my $fail; > + if( ON_UNIX ) { > + symlink( $entry->linkname, $file ) or $fail++; > +@@ -957,6 +970,23 @@ sub _make_special_file { > + $entry->linkname .q[' failed] if $fail; > + > + } elsif ( $entry->is_hardlink ) { > ++ if( !$INSECURE_EXTRACT_MODE ) { > ++ my $linkname = $entry->linkname; > ++ if( File::Spec->file_name_is_absolute($linkname) ) { > ++ $self->_error( qq[Hardlink '] . $entry->full_path . > ++ qq[' has absolute target '$linkname'. Not extracting ] . > ++ qq[under SECURE EXTRACT MODE: extraction itself chmods ] . > ++ qq[the shared inode.] ); > ++ return; > ++ } > ++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) { > ++ $self->_error( qq[Hardlink '] . $entry->full_path . > ++ qq[' target '$linkname' attempts traversal. Not ] . > ++ qq[extracting under SECURE EXTRACT MODE: extraction ] . > ++ qq[itself chmods the shared inode.] ); > ++ return; > ++ } > ++ } > + my $fail; > + if( ON_UNIX ) { > + link( $entry->linkname, $file ) or $fail++; > +diff --git a/cpan/Archive-Tar/t/04_resolved_issues.t b/cpan/Archive-Tar/t/04_resolved_issues.t > +index fc713cd..593501a 100644 > +--- a/cpan/Archive-Tar/t/04_resolved_issues.t > ++++ b/cpan/Archive-Tar/t/04_resolved_issues.t > +@@ -219,6 +219,7 @@ SKIP: { > + } > + > + { #use case 1 - in memory extraction > ++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1; > + my $t=Archive::Tar->new; > + $t->read( $archname ); > + my $r = eval{ $t->extract }; > +@@ -230,6 +231,7 @@ SKIP: { > + > + { #use case 2 - iter extraction > + #$DB::single = 2; > ++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1; > + my $next=Archive::Tar->iter( $archname, 1 ); > + my $failed = 0; > + #use Data::Dumper; > +-- > +2.50.1 > + > diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb > index 5ab49ed3d7..611824056e 100644 > --- a/meta/recipes-devtools/perl/perl_5.38.4.bb > +++ b/meta/recipes-devtools/perl/perl_5.38.4.bb > @@ -18,6 +18,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ > file://determinism.patch \ > file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ > file://0001-Fix-intermittent-failure-of-test-t-op-sigsystem.t.patch \ > + file://CVE-2026-42496.patch \ > " > SRC_URI:append:class-native = " \ > file://perl-configpm-switch.patch \
diff --git a/meta/recipes-devtools/perl/files/CVE-2026-42496.patch b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch new file mode 100644 index 0000000000..34d59d9363 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch @@ -0,0 +1,86 @@ +From 17c873492a05eddc0de18c1485e0b2cccd5a9158 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist <stig@stig.io> +Date: Thu, 21 May 2026 19:59:21 +0100 +Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE + +Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk> + +CVE: CVE-2026-42496 +Upstream-Status: Backport [https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + cpan/Archive-Tar/lib/Archive/Tar.pm | 30 +++++++++++++++++++++++++ + cpan/Archive-Tar/t/04_resolved_issues.t | 2 ++ + 2 files changed, 32 insertions(+) + +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm +index 476e646..4c73823 100644 +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm +@@ -944,6 +944,19 @@ sub _make_special_file { + my $err; + + if( $entry->is_symlink ) { ++ if( !$INSECURE_EXTRACT_MODE ) { ++ my $linkname = $entry->linkname; ++ if( File::Spec->file_name_is_absolute($linkname) ) { ++ $self->_error( qq[Symlink '] . $entry->full_path . ++ qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] ); ++ return; ++ } ++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) { ++ $self->_error( qq[Symlink '] . $entry->full_path . ++ qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] ); ++ return; ++ } ++ } + my $fail; + if( ON_UNIX ) { + symlink( $entry->linkname, $file ) or $fail++; +@@ -957,6 +970,23 @@ sub _make_special_file { + $entry->linkname .q[' failed] if $fail; + + } elsif ( $entry->is_hardlink ) { ++ if( !$INSECURE_EXTRACT_MODE ) { ++ my $linkname = $entry->linkname; ++ if( File::Spec->file_name_is_absolute($linkname) ) { ++ $self->_error( qq[Hardlink '] . $entry->full_path . ++ qq[' has absolute target '$linkname'. Not extracting ] . ++ qq[under SECURE EXTRACT MODE: extraction itself chmods ] . ++ qq[the shared inode.] ); ++ return; ++ } ++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) { ++ $self->_error( qq[Hardlink '] . $entry->full_path . ++ qq[' target '$linkname' attempts traversal. Not ] . ++ qq[extracting under SECURE EXTRACT MODE: extraction ] . ++ qq[itself chmods the shared inode.] ); ++ return; ++ } ++ } + my $fail; + if( ON_UNIX ) { + link( $entry->linkname, $file ) or $fail++; +diff --git a/cpan/Archive-Tar/t/04_resolved_issues.t b/cpan/Archive-Tar/t/04_resolved_issues.t +index fc713cd..593501a 100644 +--- a/cpan/Archive-Tar/t/04_resolved_issues.t ++++ b/cpan/Archive-Tar/t/04_resolved_issues.t +@@ -219,6 +219,7 @@ SKIP: { + } + + { #use case 1 - in memory extraction ++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1; + my $t=Archive::Tar->new; + $t->read( $archname ); + my $r = eval{ $t->extract }; +@@ -230,6 +231,7 @@ SKIP: { + + { #use case 2 - iter extraction + #$DB::single = 2; ++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1; + my $next=Archive::Tar->iter( $archname, 1 ); + my $failed = 0; + #use Data::Dumper; +-- +2.50.1 + diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb index 5ab49ed3d7..611824056e 100644 --- a/meta/recipes-devtools/perl/perl_5.38.4.bb +++ b/meta/recipes-devtools/perl/perl_5.38.4.bb @@ -18,6 +18,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://determinism.patch \ file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ file://0001-Fix-intermittent-failure-of-test-t-op-sigsystem.t.patch \ + file://CVE-2026-42496.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \
Pick patch from [1] also mentioned at NVD report in [2] [1] https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-42496 [3] https://security-tracker.debian.org/tracker/CVE-2026-42496 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../perl/files/CVE-2026-42496.patch | 86 +++++++++++++++++++ meta/recipes-devtools/perl/perl_5.38.4.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-42496.patch