On Tue Jun 23, 2026 at 8:03 AM CEST, Hitendra Prajapati via 
lists.openembedded.org wrote:
> Pick patch from [1] also mentioned at NVD report in [2]
>
> [1] 
> https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158
> [2] https://nvd.nist.gov/vuln/detail/CVE-2026-42496
> [3] https://security-tracker.debian.org/tracker/CVE-2026-42496
>
> Signed-off-by: Hitendra Prajapati <[email protected]>
> ---

Hello,

Is that needed for wrynose and master? Since this is vendored in perl,
this is not trivial to check.

Thanks!

>  .../perl/files/CVE-2026-42496.patch           | 86 +++++++++++++++++++
>  meta/recipes-devtools/perl/perl_5.38.4.bb     |  1 +
>  2 files changed, 87 insertions(+)
>  create mode 100644 meta/recipes-devtools/perl/files/CVE-2026-42496.patch
>
> diff --git a/meta/recipes-devtools/perl/files/CVE-2026-42496.patch 
> b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch
> new file mode 100644
> index 0000000000..34d59d9363
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/files/CVE-2026-42496.patch
> @@ -0,0 +1,86 @@
> +From 17c873492a05eddc0de18c1485e0b2cccd5a9158 Mon Sep 17 00:00:00 2001
> +From: Stig Palmquist <[email protected]>
> +Date: Thu, 21 May 2026 19:59:21 +0100
> +Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE
> +
> +Signed-off-by: Chris 'BinGOs' Williams <[email protected]>
> +
> +CVE: CVE-2026-42496
> +Upstream-Status: Backport 
> [https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158]
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + cpan/Archive-Tar/lib/Archive/Tar.pm     | 30 +++++++++++++++++++++++++
> + cpan/Archive-Tar/t/04_resolved_issues.t |  2 ++
> + 2 files changed, 32 insertions(+)
> +
> +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm 
> b/cpan/Archive-Tar/lib/Archive/Tar.pm
> +index 476e646..4c73823 100644
> +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
> ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
> +@@ -944,6 +944,19 @@ sub _make_special_file {
> +     my $err;
> + 
> +     if( $entry->is_symlink ) {
> ++        if( !$INSECURE_EXTRACT_MODE ) {
> ++            my $linkname = $entry->linkname;
> ++            if( File::Spec->file_name_is_absolute($linkname) ) {
> ++                $self->_error( qq[Symlink '] . $entry->full_path .
> ++                    qq[' has absolute target. Not extracting under SECURE 
> EXTRACT MODE] );
> ++                return;
> ++            }
> ++            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
> ++                $self->_error( qq[Symlink '] . $entry->full_path .
> ++                    qq[' target attempts traversal. Not extracting under 
> SECURE EXTRACT MODE] );
> ++                return;
> ++            }
> ++        }
> +         my $fail;
> +         if( ON_UNIX ) {
> +             symlink( $entry->linkname, $file ) or $fail++;
> +@@ -957,6 +970,23 @@ sub _make_special_file {
> +                 $entry->linkname .q[' failed] if $fail;
> + 
> +     } elsif ( $entry->is_hardlink ) {
> ++        if( !$INSECURE_EXTRACT_MODE ) {
> ++            my $linkname = $entry->linkname;
> ++            if( File::Spec->file_name_is_absolute($linkname) ) {
> ++                $self->_error( qq[Hardlink '] . $entry->full_path .
> ++                    qq[' has absolute target '$linkname'. Not extracting ] .
> ++                    qq[under SECURE EXTRACT MODE: extraction itself chmods 
> ] .
> ++                    qq[the shared inode.] );
> ++                return;
> ++            }
> ++            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
> ++                $self->_error( qq[Hardlink '] . $entry->full_path .
> ++                    qq[' target '$linkname' attempts traversal. Not ] .
> ++                    qq[extracting under SECURE EXTRACT MODE: extraction ] .
> ++                    qq[itself chmods the shared inode.] );
> ++                return;
> ++            }
> ++        }
> +         my $fail;
> +         if( ON_UNIX ) {
> +             link( $entry->linkname, $file ) or $fail++;
> +diff --git a/cpan/Archive-Tar/t/04_resolved_issues.t 
> b/cpan/Archive-Tar/t/04_resolved_issues.t
> +index fc713cd..593501a 100644
> +--- a/cpan/Archive-Tar/t/04_resolved_issues.t
> ++++ b/cpan/Archive-Tar/t/04_resolved_issues.t
> +@@ -219,6 +219,7 @@ SKIP: {
> +             }
> + 
> +     { #use case 1 - in memory extraction
> ++            local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
> +                     my $t=Archive::Tar->new;
> +                     $t->read( $archname );
> +                     my $r = eval{ $t->extract };
> +@@ -230,6 +231,7 @@ SKIP: {
> + 
> +             { #use case 2 - iter extraction
> +               #$DB::single = 2;
> ++            local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
> +                     my $next=Archive::Tar->iter( $archname, 1 );
> +                     my $failed = 0;
> +                     #use Data::Dumper;
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb 
> b/meta/recipes-devtools/perl/perl_5.38.4.bb
> index 5ab49ed3d7..611824056e 100644
> --- a/meta/recipes-devtools/perl/perl_5.38.4.bb
> +++ b/meta/recipes-devtools/perl/perl_5.38.4.bb
> @@ -18,6 +18,7 @@ SRC_URI = 
> "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
>             file://determinism.patch \
>             
> file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
>             
> file://0001-Fix-intermittent-failure-of-test-t-op-sigsystem.t.patch \
> +           file://CVE-2026-42496.patch \
>             "
>  SRC_URI:append:class-native = " \
>             file://perl-configpm-switch.patch \


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239337): 
https://lists.openembedded.org/g/openembedded-core/message/239337
Mute This Topic: https://lists.openembedded.org/mt/119937065/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to