nathan/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-06-05 21:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

perl: backport security fixes (#528021)

Browse Source
This commit is contained in:
Vladimír Čunát
2026-06-05 11:32:36 +00:00
committed by GitHub
parent bf9672a36c d59aeb80e5
commit f60555b694
2 changed files with 81 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkgs/development/interpreters/perl/CVE-2026-8376.patch Normal file
View File

@@ -0,0 +1,20 @@
Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly.
diff --git a/regcomp_study.c b/regcomp_study.c
index b513454a4258..1602663f4b26 100644
--- a/regcomp_study.c
+++ b/regcomp_study.c
@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_
(U8 *) SvEND(data->last_found))
- (U8*)s;
l -= old;
+
+ if (l > 0 &&
+ (mincount >= SSize_t_MAX / (SSize_t)l
+ || old > SSize_t_MAX - mincount * (SSize_t)l)) {
+ FAIL("Regexp out of space");
+ }
+
/* Get the added string: */
last_str = newSVpvn_utf8(s + old, l, UTF);
last_chrs = UTF ? utf8_length((U8*)(s + old),

65
pkgs/development/interpreters/perl/interpreter.nix
View File

@@ -36,6 +36,8 @@ let
commonPatches = [
# Do not look in /usr etc. for dependencies.
./no-sys-dirs.patch
./CVE-2026-8376.patch
]
# Fix build on Solaris on x86_64
@@ -79,6 +81,61 @@ let
# Some more details: https://arsv.github.io/perl-cross/modules.html
++ lib.optional crossCompiling ./cross.patch;
# Inject fixed CPAN releases for bundled dual-life distributions until the
# next perl maintenance release includes them.
vendoredPerlDistributions = [
{
# CVE-2026-7010
path = "cpan/HTTP-Tiny";
src = fetchurl {
url = "mirror://cpan/authors/id/H/HA/HAARG/HTTP-Tiny-0.094.tar.gz";
hash = "sha256-poQemfwbVdFd6VlHzL17dnvsxRxxAhl/qPBE333cB0M=";
};
}
{
# CVE-2026-3381, CVE-2026-4176
path = "cpan/Compress-Raw-Zlib";
src = fetchurl {
url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Zlib-2.222.tar.gz";
hash = "sha256-Hf19URplVifIGBXTDTurwo+luIRV/wP4sECZ3LUShrg=";
};
}
{
# Runtime dependency of IO-Compress 2.220.
path = "cpan/Compress-Raw-Bzip2";
src = fetchurl {
url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.218.tar.gz";
hash = "sha256-iRU+ai69pSNJSTsHT6S3VJ/x+QU952E8GKXgXFtBX6g=";
};
}
{
# CVE-2026-48962, CVE-2026-48961, CVE-2026-48959
path = "cpan/IO-Compress";
src = fetchurl {
url = "mirror://cpan/authors/id/P/PM/PMQS/IO-Compress-2.220.tar.gz";
hash = "sha256-nZbqKR8sVO82fHOWuFfZO6GsHEsvG84T7Yo+Xz7rtic=";
};
}
{
# CVE-2026-42496, CVE-2026-42497, CVE-2026-9538
path = "cpan/Archive-Tar";
src = fetchurl {
url = "mirror://cpan/authors/id/B/BI/BINGOS/Archive-Tar-3.12.tar.gz";
hash = "sha256-ARTvObZfSfiWgoOrR3Gdfoj5jXNg/jZJvjMcf1PVgyw=";
};
}
];
replaceVendoredPerlDistributions = lib.concatMapStringsSep "\n" (d: ''
rm -rf ${d.path}
mkdir -p ${d.path}
tar --strip-components=1 -C ${d.path} -xf ${d.src}
# Remove executable bits to make t/porting/exec-bit.t happy.
find ${d.path} -type f -exec chmod a-x {} +
'') vendoredPerlDistributions;
libc = if stdenv.cc.libc or null != null then stdenv.cc.libc else "/usr";
libcInc = lib.getDev libc;
libcLib = lib.getLib libc;
@@ -136,10 +193,10 @@ stdenv.mkDerivation (
--replace "/bin/pwd" "$(type -P pwd)"
''
)
+
# Perl's build system uses the src variable, and its value may end up in
# the output in some cases (when cross-compiling)
''
+ replaceVendoredPerlDistributions
+ ''
# Perl's build system uses the src variable, and its value may end up in
# the output in some cases (when cross-compiling).
unset src
'';