Re: [OE-core] [kirkstone][PATCH] perl: fix CVE-2025-40909
Hi Yoann, I'll look into this. On 14/03/26 9:32 pm, Yoann Congal wrote: Hello, On Fri Feb 27, 2026 at 9:38 AM CET, Hitendra Prajapati via lists.openembedded.org wrote: Backport the patch[1] which fixes this vulnerability as mentioned in NVD report. Details:https://nvd.nist.gov/vuln/detail/CVE-2025-40909 [1]https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 Backport of upstream commit 918bfff (CVE-2025-40909) introduces a new configuration variable "d_fdopendir" which is used by config_h.SH to generate HAS_FDOPENDIR. Looks to me that this fix is needed for scarthgap and whinlatter. Can you please send an equivalent fix there first? In standard Perl builds this variable is detected by Configure. However in Yocto the perl-native/perl builds rely on perlcross with pre-seeded config.sh and Configure is not fully executed. As a result d_fdopendir may be unset, which causes config_h.SH to emit an invalid preprocessor directive: # HAS_FDOPENDIR leading to build failures. Additionally, leaving the variable unset disables the new code path introduced by the CVE fix. Seed d_fdopendir to "define" to match expected Linux/glibc behaviour where fdopendir() is available. This restores correct config.h generation and ensures the CVE fix is active. I'm not really familiar with perl integration but instead of using sed to patch a generated file, shouldn't we patch perl-cross with this (submitted but not merged) PR? https://github.com/arsv/perl-cross/pull/159/changes/f702c387e6940fab3801d7562a668b974a2b3a8f I'm also not that much familier with perl. But, I'll look to fix this in perl-cross and give proper patch. Signed-off-by: Hitendra Prajapati --- .../perl/files/CVE-2025-40909.patch | 415 ++ meta/recipes-devtools/perl/perl_5.34.3.bb | 2 + 2 files changed, 417 insertions(+) create mode 100644 meta/recipes-devtools/perl/files/CVE-2025-40909.patch diff --git a/meta/recipes-devtools/perl/files/CVE-2025-40909.patch b/meta/recipes-devtools/perl/files/CVE-2025-40909.patch new file mode 100644 index 00..b5cb20e112 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2025-40909.patch @@ -0,0 +1,415 @@ +From 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 Mon Sep 17 00:00:00 2001 +From: Leon Timmermans +Date: Fri, 23 May 2025 15:40:41 +0200 +Subject: [PATCH] CVE-2025-40909: Clone dirhandles without fchdir + +This uses fdopendir and dup to dirhandles. This means it won't change +working directory during thread cloning, which prevents race conditions +that can happen if a third thread is active at the same time. + +CVE: CVE-2025-40909 +Upstream-Status: Backport [https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9] +Signed-off-by: Hitendra Prajapati +--- + Configure | 6 ++ + Cross/config.sh-arm-linux | 1 + + Cross/config.sh-arm-linux-n770 | 1 + + Porting/Glossary | 5 ++ + Porting/config.sh | 1 + + config_h.SH| 6 ++ + configure.com | 1 + + plan9/config_sh.sample | 1 + + sv.c | 91 + + t/op/threads-dirh.t| 104 + + win32/config.gc| 1 + + win32/config.vc| 1 + + 12 files changed, 28 insertions(+), 191 deletions(-) + +diff --git a/Configure b/Configure +index 913e080..b668593 100755 +--- a/Configure b/Configure +@@ -476,6 +476,7 @@ d_fd_set='' + d_fds_bits='' + d_fdclose='' + d_fdim='' ++d_fdopendir='' + d_fegetround='' + d_fgetpos='' + d_finite='' +@@ -13222,6 +13223,10 @@ esac + set i_fcntl + eval $setvar + ++: see if fdopendir exists ++set fdopendir d_fdopendir ++eval $inlibc ++ + : see if fork exists + set fork d_fork + eval $inlibc +@@ -24329,6 +24334,7 @@ d_flockproto='$d_flockproto' + d_fma='$d_fma' + d_fmax='$d_fmax' + d_fmin='$d_fmin' ++d_fdopendir='$d_fdopendir' + d_fork='$d_fork' + d_fp_class='$d_fp_class' + d_fp_classify='$d_fp_classify' +diff --git a/Cross/config.sh-arm-linux b/Cross/config.sh-arm-linux +index c472b09..4b346a3 100644 +--- a/Cross/config.sh-arm-linux b/Cross/config.sh-arm-linux +@@ -211,6 +211,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir='undef' + d_fds_bits='undef' + d_fegetround='define' + d_fgetpos='define' +diff --git a/Cross/config.sh-arm-linux-n770 b/Cross/config.sh-arm-linux-n770 +index 7b10cbf..8dc2f83 100644 +--- a/Cross/config.sh-arm-linux-n770 b/Cross/config.sh-arm-linux-n770 +@@ -210,6 +210,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir='undef' + d_fds_bits='undef' + d_fegetround='define' + d_fgetpos='define' +diff --git a/Porting/Glossary b/Porting/Glossary +index d28e8c5..0a98386 100644 +--- a/Porting/Glossary b/Porting/Glossary +@@ -933,6 +933,11 @@ d_fmin (d_fmin.U): + This variable conditionally defines
Re: [OE-core] [kirkstone][PATCH] perl: fix CVE-2025-40909
Hello, On Fri Feb 27, 2026 at 9:38 AM CET, Hitendra Prajapati via lists.openembedded.org wrote: > Backport the patch[1] which fixes this vulnerability as mentioned in NVD > report. > Details: https://nvd.nist.gov/vuln/detail/CVE-2025-40909 > > [1] > https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 > > Backport of upstream commit 918bfff (CVE-2025-40909) introduces a new > configuration variable "d_fdopendir" which is used by config_h.SH to > generate HAS_FDOPENDIR. Looks to me that this fix is needed for scarthgap and whinlatter. Can you please send an equivalent fix there first? > In standard Perl builds this variable is detected by Configure. > However in Yocto the perl-native/perl builds rely on > perlcross with pre-seeded config.sh and Configure is not fully > executed. As a result d_fdopendir may be unset, which causes > config_h.SH to emit an invalid preprocessor directive: > > # HAS_FDOPENDIR > > leading to build failures. > > Additionally, leaving the variable unset disables the new code path > introduced by the CVE fix. > > Seed d_fdopendir to "define" to match expected Linux/glibc behaviour > where fdopendir() is available. This restores correct config.h > generation and ensures the CVE fix is active. I'm not really familiar with perl integration but instead of using sed to patch a generated file, shouldn't we patch perl-cross with this (submitted but not merged) PR? https://github.com/arsv/perl-cross/pull/159/changes/f702c387e6940fab3801d7562a668b974a2b3a8f > Signed-off-by: Hitendra Prajapati > --- > .../perl/files/CVE-2025-40909.patch | 415 ++ > meta/recipes-devtools/perl/perl_5.34.3.bb | 2 + > 2 files changed, 417 insertions(+) > create mode 100644 meta/recipes-devtools/perl/files/CVE-2025-40909.patch > > diff --git a/meta/recipes-devtools/perl/files/CVE-2025-40909.patch > b/meta/recipes-devtools/perl/files/CVE-2025-40909.patch > new file mode 100644 > index 00..b5cb20e112 > --- /dev/null > +++ b/meta/recipes-devtools/perl/files/CVE-2025-40909.patch > @@ -0,0 +1,415 @@ > +From 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 Mon Sep 17 00:00:00 2001 > +From: Leon Timmermans > +Date: Fri, 23 May 2025 15:40:41 +0200 > +Subject: [PATCH] CVE-2025-40909: Clone dirhandles without fchdir > + > +This uses fdopendir and dup to dirhandles. This means it won't change > +working directory during thread cloning, which prevents race conditions > +that can happen if a third thread is active at the same time. > + > +CVE: CVE-2025-40909 > +Upstream-Status: Backport > [https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9] > +Signed-off-by: Hitendra Prajapati > +--- > + Configure | 6 ++ > + Cross/config.sh-arm-linux | 1 + > + Cross/config.sh-arm-linux-n770 | 1 + > + Porting/Glossary | 5 ++ > + Porting/config.sh | 1 + > + config_h.SH| 6 ++ > + configure.com | 1 + > + plan9/config_sh.sample | 1 + > + sv.c | 91 + > + t/op/threads-dirh.t| 104 + > + win32/config.gc| 1 + > + win32/config.vc| 1 + > + 12 files changed, 28 insertions(+), 191 deletions(-) > + > +diff --git a/Configure b/Configure > +index 913e080..b668593 100755 > +--- a/Configure > b/Configure > +@@ -476,6 +476,7 @@ d_fd_set='' > + d_fds_bits='' > + d_fdclose='' > + d_fdim='' > ++d_fdopendir='' > + d_fegetround='' > + d_fgetpos='' > + d_finite='' > +@@ -13222,6 +13223,10 @@ esac > + set i_fcntl > + eval $setvar > + > ++: see if fdopendir exists > ++set fdopendir d_fdopendir > ++eval $inlibc > ++ > + : see if fork exists > + set fork d_fork > + eval $inlibc > +@@ -24329,6 +24334,7 @@ d_flockproto='$d_flockproto' > + d_fma='$d_fma' > + d_fmax='$d_fmax' > + d_fmin='$d_fmin' > ++d_fdopendir='$d_fdopendir' > + d_fork='$d_fork' > + d_fp_class='$d_fp_class' > + d_fp_classify='$d_fp_classify' > +diff --git a/Cross/config.sh-arm-linux b/Cross/config.sh-arm-linux > +index c472b09..4b346a3 100644 > +--- a/Cross/config.sh-arm-linux > b/Cross/config.sh-arm-linux > +@@ -211,6 +211,7 @@ d_fd_macros='define' > + d_fd_set='define' > + d_fdclose='undef' > + d_fdim='undef' > ++d_fdopendir='undef' > + d_fds_bits='undef' > + d_fegetround='define' > + d_fgetpos='define' > +diff --git a/Cross/config.sh-arm-linux-n770 b/Cross/config.sh-arm-linux-n770 > +index 7b10cbf..8dc2f83 100644 > +--- a/Cross/config.sh-arm-linux-n770 > b/Cross/config.sh-arm-linux-n770 > +@@ -210,6 +210,7 @@ d_fd_macros='define' > + d_fd_set='define' > + d_fdclose='undef' > + d_fdim='undef' > ++d_fdopendir='undef' > + d_fds_bits='undef' > + d_fegetround='define' > + d_fgetpos='define' > +diff --git a/Porting/Glossary b/Porting/Glossary > +index d28e8c5..0a98386 100644 > +--- a/Porting/Glossary > b/Porting/Glossary > +@@ -933,6 +933,11 @@
Re: [OE-core] [kirkstone][PATCH] perl: fix CVE-2025-40909
On Fri Mar 6, 2026 at 1:16 PM CET, Hitendra Prajapati via lists.openembedded.org wrote: > Hi Team, > > Any update ? Hello, I'll get to it this week. In the futur, please wait for 2 weeks before pinging a patch. Depending on when it is received in review cycles, it will most likely take a week before I look a it. Two weeks before a ping seems reasonnable. Thanks! > > Regards, > Hitendra -- Yoann Congal Smile ECS -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232668): https://lists.openembedded.org/g/openembedded-core/message/232668 Mute This Topic: https://lists.openembedded.org/mt/118027311/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] perl: fix CVE-2025-40909
Hi Team, Any update ? Regards, Hitendra -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232565): https://lists.openembedded.org/g/openembedded-core/message/232565 Mute This Topic: https://lists.openembedded.org/mt/118027311/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
