Permalink
Browse files

(perl #133250) backport CVE-2018-12015 fix

  • Loading branch information...
tonycoz committed Sep 20, 2018
1 parent ec1caca commit d0130b8d46dabdeb571fff8bbc3a791f4ea1f28c
Showing with 18 additions and 1 deletion.
  1. +1 −0 Porting/Maintainers.pl
  2. +16 −1 cpan/Archive-Tar/lib/Archive/Tar.pm
  3. +1 −0 t/porting/customized.dat
View
@@ -126,6 +126,7 @@ package Maintainers;
'EXCLUDED' => [
qw(t/07_ptardiff.t),
],
'CUSTOMIZED' => [ qw(lib/Archive/Tar.pm) ], # CVE-2018-12015
},
'Attribute::Handlers' => {
@@ -31,7 +31,7 @@ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD
$DEBUG = 0;
$WARN = 1;
$FOLLOW_SYMLINK = 0;
$VERSION = "2.24";
$VERSION = "2.24_01";
$CHOWN = 1;
$CHMOD = 1;
$SAME_PERMISSIONS = $> == 0 ? 1 : 0;
@@ -845,6 +845,21 @@ sub _extract_file {
return;
}
### If a file system already contains a block device with the same name as
### the being extracted regular file, we would write the file's content
### to the block device. So remove the existing file (block device) now.
### If an archive contains multiple same-named entries, the last one
### should replace the previous ones. So remove the old file now.
### If the old entry is a symlink to a file outside of the CWD, the new
### entry would create a file there. This is CVE-2018-12015
### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
if (-l $full || -e _) {
if (!unlink $full) {
$self->_error( qq[Could not remove old file '$full': $!] );
return;
}
}
if( length $entry->type && $entry->is_file ) {
my $fh = IO::File->new;
$fh->open( '>' . $full ) or (
View
@@ -1,3 +1,4 @@
Archive::Tar cpan/Archive-Tar/lib/Archive/Tar.pm e93f3f352b4820b3ccdc1f06cb82b2102fe1de3b
Digest cpan/Digest/Digest.pm 43f7f544cb11842b2f55c73e28930da50774e081
Encode cpan/Encode/Unicode/Unicode.pm 9749692c67f7d69083034de9184a93f070ab4799
ExtUtils::Constant cpan/ExtUtils-Constant/t/Constant.t a0369c919e216fb02767a637666bb4577ad79b02

0 comments on commit d0130b8

Please sign in to comment.