05/10: gnu: perl: Fix CVE-2018-12015.

[Marius Bakke]

mbakke pushed a commit to branch master
in repository guix.

commit 406c83f78d4c7851743bb0f82a9de02c8afa63f3
Author: Marius Bakke <address@hidden>
Date:   Tue Jun 12 11:24:29 2018 +0200

    gnu: perl: Fix CVE-2018-12015.
    
    * gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Register it.
    * gnu/packages/perl.scm (perl-5.26.2)[source](patches): Use it.
---
 gnu/local.mk                                       |  1 +
 .../patches/perl-archive-tar-CVE-2018-12015.patch  | 36 ++++++++++++++++++++++
 gnu/packages/perl.scm                              |  2 ++
 3 files changed, 39 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index d02f070..a1bebe0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -989,6 +989,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch    \
   %D%/packages/patches/patch-hurd-path-max.patch               \
   %D%/packages/patches/perf-gcc-ice.patch                      \
+  %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch   \
   %D%/packages/patches/perl-file-path-CVE-2017-6512.patch      \
   %D%/packages/patches/perl-autosplit-default-time.patch       \
   %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch     \
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch 
b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
new file mode 100644
index 0000000..6460cf5
--- /dev/null
+++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
@@ -0,0 +1,36 @@
+Fix CVE-2018-12015:
+
+https://security-tracker.debian.org/tracker/CVE-2018-12015
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Patch taken from this upstream commit and adapted to apply to
+the bundled copy in the Perl distribution:
+
+https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm 
b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+         return;
+     }
+ 
++    ### If a file system already contains a block device with the same name as
++    ### the being extracted regular file, we would write the file's content
++    ### to the block device. So remove the existing file (block device) now.
++    ### If an archive contains multiple same-named entries, the last one
++    ### should replace the previous ones. So remove the old file now.
++    ### If the old entry is a symlink to a file outside of the CWD, the new
++    ### entry would create a file there. This is CVE-2018-12015
++    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++    if (-l $full || -e _) {
++      if (!unlink $full) {
++          $self->_error( qq[Could not remove old file '$full': $!] );
++          return;
++      }
++    }
+     if( length $entry->type && $entry->is_file ) {
+         my $fh = IO::File->new;
+         $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 2d2bb62..93b1a3f 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -170,6 +170,8 @@
               (inherit (package-source perl))
               (uri (string-append "mirror://cpan/src/5.0/perl-"
                                   version ".tar.gz"))
+              (patches (append (origin-patches (package-source perl))
+                               (search-patches 
"perl-archive-tar-CVE-2018-12015.patch")))
               (sha256
                (base32
                 "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))