[Buildroot] [PATCH] perl: add upstream security fix for CVE-2018-12015

Thomas Petazzoni thomas.petazzoni at bootlin.com
Wed Jun 13 20:52:21 UTC 2018


Hello,

On Tue, 12 Jun 2018 17:21:30 +0200, Peter Korsgaard wrote:
> Fixes CVE-2018-12015 - In Perl through 5.26.2, the Archive::Tar module
> allows remote attackers to bypass a directory-traversal protection
> mechanism, and overwrite arbitrary files, via an archive file containing a
> symlink and a regular file with the same name.
> 
> Patch from
> https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
> with path rewritten to match perl tarball.
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
>  ...ve-existing-files-before-overwriting-them.patch | 46 ++++++++++++++++++++++
>  1 file changed, 46 insertions(+)
>  create mode 100644 package/perl/0001-PATCH-Remove-existing-files-before-overwriting-them.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com



More information about the buildroot mailing list