Pick patch from [1] also mentioned at NVD report in [2] [1] https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-42496 [3] https://security-tracker.debian.org/tracker/CVE-2026-42496
Signed-off-by: Hitendra Prajapati <[email protected]> --- .../perl/files/CVE-2026-42496.patch | 86 +++++++++++++++++++ meta/recipes-devtools/perl/perl_5.38.4.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-42496.patch diff --git a/meta/recipes-devtools/perl/files/CVE-2026-42496.patch b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch new file mode 100644 index 0000000000..34d59d9363 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch @@ -0,0 +1,86 @@ +From 17c873492a05eddc0de18c1485e0b2cccd5a9158 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist <[email protected]> +Date: Thu, 21 May 2026 19:59:21 +0100 +Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE + +Signed-off-by: Chris 'BinGOs' Williams <[email protected]> + +CVE: CVE-2026-42496 +Upstream-Status: Backport [https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + cpan/Archive-Tar/lib/Archive/Tar.pm | 30 +++++++++++++++++++++++++ + cpan/Archive-Tar/t/04_resolved_issues.t | 2 ++ + 2 files changed, 32 insertions(+) + +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm +index 476e646..4c73823 100644 +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm +@@ -944,6 +944,19 @@ sub _make_special_file { + my $err; + + if( $entry->is_symlink ) { ++ if( !$INSECURE_EXTRACT_MODE ) { ++ my $linkname = $entry->linkname; ++ if( File::Spec->file_name_is_absolute($linkname) ) { ++ $self->_error( qq[Symlink '] . $entry->full_path . ++ qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] ); ++ return; ++ } ++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) { ++ $self->_error( qq[Symlink '] . $entry->full_path . ++ qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] ); ++ return; ++ } ++ } + my $fail; + if( ON_UNIX ) { + symlink( $entry->linkname, $file ) or $fail++; +@@ -957,6 +970,23 @@ sub _make_special_file { + $entry->linkname .q[' failed] if $fail; + + } elsif ( $entry->is_hardlink ) { ++ if( !$INSECURE_EXTRACT_MODE ) { ++ my $linkname = $entry->linkname; ++ if( File::Spec->file_name_is_absolute($linkname) ) { ++ $self->_error( qq[Hardlink '] . $entry->full_path . ++ qq[' has absolute target '$linkname'. Not extracting ] . ++ qq[under SECURE EXTRACT MODE: extraction itself chmods ] . ++ qq[the shared inode.] ); ++ return; ++ } ++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) { ++ $self->_error( qq[Hardlink '] . $entry->full_path . ++ qq[' target '$linkname' attempts traversal. Not ] . ++ qq[extracting under SECURE EXTRACT MODE: extraction ] . ++ qq[itself chmods the shared inode.] ); ++ return; ++ } ++ } + my $fail; + if( ON_UNIX ) { + link( $entry->linkname, $file ) or $fail++; +diff --git a/cpan/Archive-Tar/t/04_resolved_issues.t b/cpan/Archive-Tar/t/04_resolved_issues.t +index fc713cd..593501a 100644 +--- a/cpan/Archive-Tar/t/04_resolved_issues.t ++++ b/cpan/Archive-Tar/t/04_resolved_issues.t +@@ -219,6 +219,7 @@ SKIP: { + } + + { #use case 1 - in memory extraction ++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1; + my $t=Archive::Tar->new; + $t->read( $archname ); + my $r = eval{ $t->extract }; +@@ -230,6 +231,7 @@ SKIP: { + + { #use case 2 - iter extraction + #$DB::single = 2; ++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1; + my $next=Archive::Tar->iter( $archname, 1 ); + my $failed = 0; + #use Data::Dumper; +-- +2.50.1 + diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb index 5ab49ed3d7..611824056e 100644 --- a/meta/recipes-devtools/perl/perl_5.38.4.bb +++ b/meta/recipes-devtools/perl/perl_5.38.4.bb @@ -18,6 +18,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://determinism.patch \ file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ file://0001-Fix-intermittent-failure-of-test-t-op-sigsystem.t.patch \ + file://CVE-2026-42496.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \ -- 2.50.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239335): https://lists.openembedded.org/g/openembedded-core/message/239335 Mute This Topic: https://lists.openembedded.org/mt/119937065/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
