Pick patch from [1] also mentioned at NVD report in [2]

[1] 
https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-42496
[3] https://security-tracker.debian.org/tracker/CVE-2026-42496

Signed-off-by: Hitendra Prajapati <[email protected]>
---
 .../perl/files/CVE-2026-42496.patch           | 86 +++++++++++++++++++
 meta/recipes-devtools/perl/perl_5.38.4.bb     |  1 +
 2 files changed, 87 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-42496.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2026-42496.patch 
b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch
new file mode 100644
index 0000000000..34d59d9363
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch
@@ -0,0 +1,86 @@
+From 17c873492a05eddc0de18c1485e0b2cccd5a9158 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <[email protected]>
+Date: Thu, 21 May 2026 19:59:21 +0100
+Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE
+
+Signed-off-by: Chris 'BinGOs' Williams <[email protected]>
+
+CVE: CVE-2026-42496
+Upstream-Status: Backport 
[https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158]
+Signed-off-by: Hitendra Prajapati <[email protected]>
+---
+ cpan/Archive-Tar/lib/Archive/Tar.pm     | 30 +++++++++++++++++++++++++
+ cpan/Archive-Tar/t/04_resolved_issues.t |  2 ++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm 
b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 476e646..4c73823 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -944,6 +944,19 @@ sub _make_special_file {
+     my $err;
+ 
+     if( $entry->is_symlink ) {
++        if( !$INSECURE_EXTRACT_MODE ) {
++            my $linkname = $entry->linkname;
++            if( File::Spec->file_name_is_absolute($linkname) ) {
++                $self->_error( qq[Symlink '] . $entry->full_path .
++                    qq[' has absolute target. Not extracting under SECURE 
EXTRACT MODE] );
++                return;
++            }
++            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++                $self->_error( qq[Symlink '] . $entry->full_path .
++                    qq[' target attempts traversal. Not extracting under 
SECURE EXTRACT MODE] );
++                return;
++            }
++        }
+         my $fail;
+         if( ON_UNIX ) {
+             symlink( $entry->linkname, $file ) or $fail++;
+@@ -957,6 +970,23 @@ sub _make_special_file {
+                 $entry->linkname .q[' failed] if $fail;
+ 
+     } elsif ( $entry->is_hardlink ) {
++        if( !$INSECURE_EXTRACT_MODE ) {
++            my $linkname = $entry->linkname;
++            if( File::Spec->file_name_is_absolute($linkname) ) {
++                $self->_error( qq[Hardlink '] . $entry->full_path .
++                    qq[' has absolute target '$linkname'. Not extracting ] .
++                    qq[under SECURE EXTRACT MODE: extraction itself chmods ] .
++                    qq[the shared inode.] );
++                return;
++            }
++            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++                $self->_error( qq[Hardlink '] . $entry->full_path .
++                    qq[' target '$linkname' attempts traversal. Not ] .
++                    qq[extracting under SECURE EXTRACT MODE: extraction ] .
++                    qq[itself chmods the shared inode.] );
++                return;
++            }
++        }
+         my $fail;
+         if( ON_UNIX ) {
+             link( $entry->linkname, $file ) or $fail++;
+diff --git a/cpan/Archive-Tar/t/04_resolved_issues.t 
b/cpan/Archive-Tar/t/04_resolved_issues.t
+index fc713cd..593501a 100644
+--- a/cpan/Archive-Tar/t/04_resolved_issues.t
++++ b/cpan/Archive-Tar/t/04_resolved_issues.t
+@@ -219,6 +219,7 @@ SKIP: {
+               }
+ 
+     { #use case 1 - in memory extraction
++              local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+                       my $t=Archive::Tar->new;
+                       $t->read( $archname );
+                       my $r = eval{ $t->extract };
+@@ -230,6 +231,7 @@ SKIP: {
+ 
+               { #use case 2 - iter extraction
+                 #$DB::single = 2;
++              local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+                       my $next=Archive::Tar->iter( $archname, 1 );
+                       my $failed = 0;
+                       #use Data::Dumper;
+-- 
+2.50.1
+
diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb 
b/meta/recipes-devtools/perl/perl_5.38.4.bb
index 5ab49ed3d7..611824056e 100644
--- a/meta/recipes-devtools/perl/perl_5.38.4.bb
+++ b/meta/recipes-devtools/perl/perl_5.38.4.bb
@@ -18,6 +18,7 @@ SRC_URI = 
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
            file://determinism.patch \
            
file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
            file://0001-Fix-intermittent-failure-of-test-t-op-sigsystem.t.patch 
\
+           file://CVE-2026-42496.patch \
            "
 SRC_URI:append:class-native = " \
            file://perl-configpm-switch.patch \
-- 
2.50.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239335): 
https://lists.openembedded.org/g/openembedded-core/message/239335
Mute This Topic: https://lists.openembedded.org/mt/119937065/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • [OE-core] [scarthgap][PATCH]... Hitendra Prajapati via lists.openembedded.org

Reply via email to