-
Notifications
You must be signed in to change notification settings - Fork 586
[MEDIUM] Patch for perl CVE-2025-40909 #13964
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
[MEDIUM] Patch for perl CVE-2025-40909 #13964
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Buddy build. Patch matches with upstream reference. Will trigger toolchain build? --> Toolchain builds fine. Do we need to trigger full build for Perl packages?
@kgodara912 "Do we need to trigger full build for Perl packages?", if this question is for me, my answer is, Sorry, I don't know. |
No @aninda-al, the question is not for you. Please wait for 2 days, I will trigger a full build as currently there are some build issues which are being debugged. |
@kgodara912 Is the right link to the build? It points to different package. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The link is correct @aninda-al, you might have only seen title of run which is title of last commit in pipeline itself. Full build has no additional failures, LGTM.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./LICENSES-AND-NOTICES/SPECS/data/licenses.json
,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
Address CVE-2025-40909
Upstream Patch link: https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
Patch link mentioned in astrolabe and https://security-tracker.debian.org/tracker/CVE-2025-40909
Original Patch did not apply cleanly, so I had to apply the patch manually, but all 12 files were found
Change Log
Does this affect the toolchain?
YES
Associated issues
Links to CVEs
Test Methodology