From 1a6f934b5265f20451819cfb89217283da4bc41f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 28 Jul 2025 02:46:00 +0000 Subject: [PATCH] import UBI perl-5.32.1-481.1.el9_6 --- ...0909-Clone-dirhandles-without-fchdir.patch | 381 ++++++++++++++++++ ...cloexec-in-Perl_dirp_dup-to-set-O_CL.patch | 27 ++ SPECS/perl.spec | 14 +- 3 files changed, 421 insertions(+), 1 deletion(-) create mode 100644 SOURCES/perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch create mode 100644 SOURCES/perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch diff --git a/SOURCES/perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch b/SOURCES/perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch new file mode 100644 index 0000000..81dee04 --- /dev/null +++ b/SOURCES/perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch @@ -0,0 +1,381 @@ +Subject: [PATCH] CVE-2025-40909: Clone dirhandles without fchdir + +This uses fdopendir and dup to dirhandles. This means it won't change +working directory during thread cloning, which prevents race conditions +that can happen if a third thread is active at the same time. + +Backport commit 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 + +diff -up perl-5.32.1/Configure.cve perl-5.32.1/Configure +--- perl-5.32.1/Configure.cve 2025-06-12 15:18:13.366791277 +0200 ++++ perl-5.32.1/Configure 2025-06-12 15:20:54.387096470 +0200 +@@ -475,6 +475,7 @@ d_fd_set='' + d_fds_bits='' + d_fdclose='' + d_fdim='' ++d_fdopendir='' + d_fegetround='' + d_fgetpos='' + d_finite='' +@@ -13241,6 +13242,10 @@ esac + set i_fcntl + eval $setvar + ++: see if fdopendir exists ++set fdopendir d_fdopendir ++eval $inlibc ++ + : see if fork exists + set fork d_fork + eval $inlibc +@@ -24198,6 +24203,7 @@ d_flockproto='$d_flockproto' + d_fma='$d_fma' + d_fmax='$d_fmax' + d_fmin='$d_fmin' ++d_fdopendir='$d_fdopendir' + d_fork='$d_fork' + d_fp_class='$d_fp_class' + d_fp_classify='$d_fp_classify' +diff -up perl-5.32.1/Cross/config.sh-arm-linux.cve perl-5.32.1/Cross/config.sh-arm-linux +--- perl-5.32.1/Cross/config.sh-arm-linux.cve 2025-06-12 15:18:13.606796218 +0200 ++++ perl-5.32.1/Cross/config.sh-arm-linux 2025-06-12 15:27:33.358714520 +0200 +@@ -211,6 +211,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir=undef + d_fds_bits='undef' + d_fegetround='define' + d_fgetpos='define' +diff -up perl-5.32.1/Cross/config.sh-arm-linux-n770.cve perl-5.32.1/Cross/config.sh-arm-linux-n770 +--- perl-5.32.1/Cross/config.sh-arm-linux-n770.cve 2025-06-12 15:18:13.607831916 +0200 ++++ perl-5.32.1/Cross/config.sh-arm-linux-n770 2025-06-12 15:28:08.455410574 +0200 +@@ -210,6 +210,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir=undef + d_fds_bits='undef' + d_fegetround='define' + d_fgetpos='define' +diff -up perl-5.32.1/Porting/Glossary.cve perl-5.32.1/Porting/Glossary +--- perl-5.32.1/Porting/Glossary.cve 2020-12-18 11:04:35.000000000 +0100 ++++ perl-5.32.1/Porting/Glossary 2025-06-12 15:18:13.608796260 +0200 +@@ -924,6 +924,11 @@ d_fmin (d_fmin.U): + This variable conditionally defines the HAS_FMIN symbol, which + indicates to the C program that the fmin() routine is available. + ++d_fdopendir (d_fdopendir.U): ++ This variable conditionally defines the HAS_FORK symbol, which ++ indicates that the fdopen routine is available to open a ++ directory descriptor. ++ + d_fork (d_fork.U): + This variable conditionally defines the HAS_FORK symbol, which + indicates to the C program that the fork() routine is available. +diff -up perl-5.32.1/Porting/config.sh.cve perl-5.32.1/Porting/config.sh +--- perl-5.32.1/Porting/config.sh.cve 2025-06-12 15:18:13.609577374 +0200 ++++ perl-5.32.1/Porting/config.sh 2025-06-12 15:29:08.146187860 +0200 +@@ -224,6 +224,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='define' ++d_fdopendir='define' + d_fds_bits='undef' + d_fegetround='define' + d_fgetpos='define' +diff -up perl-5.32.1/config_h.SH.cve perl-5.32.1/config_h.SH +--- perl-5.32.1/config_h.SH.cve 2020-12-18 11:04:35.000000000 +0100 ++++ perl-5.32.1/config_h.SH 2025-06-12 15:18:13.610137533 +0200 +@@ -142,6 +142,12 @@ sed <$CONFIG_H -e 's!^#und + */ + #$d_fcntl HAS_FCNTL /**/ + ++/* HAS_FDOPENDIR: ++ * This symbol, if defined, indicates that the fdopen routine is ++ * available to open a directory descriptor. ++ */ ++#$d_fdopendir HAS_FDOPENDIR /**/ ++ + /* HAS_FGETPOS: + * This symbol, if defined, indicates that the fgetpos routine is + * available to get the file position indicator, similar to ftell(). +diff -up perl-5.32.1/configure.com.cve perl-5.32.1/configure.com +--- perl-5.32.1/configure.com.cve 2025-06-12 15:18:13.611119869 +0200 ++++ perl-5.32.1/configure.com 2025-06-12 15:29:59.751443189 +0200 +@@ -6221,6 +6221,7 @@ $ WC "d_fd_set='" + d_fd_set + "'" + $ WC "d_fd_macros='define'" + $ WC "d_fdclose='undef'" + $ WC "d_fdim='" + d_fdim + "'" ++$ WC "d_fdopendir='undef'" + $ WC "d_fds_bits='define'" + $ WC "d_fegetround='undef'" + $ WC "d_fgetpos='define'" +diff -up perl-5.32.1/plan9/config_sh.sample.cve perl-5.32.1/plan9/config_sh.sample +--- perl-5.32.1/plan9/config_sh.sample.cve 2025-06-12 15:18:13.611894290 +0200 ++++ perl-5.32.1/plan9/config_sh.sample 2025-06-12 15:30:33.729918831 +0200 +@@ -211,6 +211,7 @@ d_fd_macros='undef' + d_fd_set='undef' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir=undef + d_fds_bits='undef' + d_fegetround='undef' + d_fgetpos='define' +diff -up perl-5.32.1/sv.c.cve perl-5.32.1/sv.c +--- perl-5.32.1/sv.c.cve 2025-06-12 15:18:13.455793109 +0200 ++++ perl-5.32.1/sv.c 2025-06-12 15:50:45.130375604 +0200 +@@ -13652,15 +13652,6 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE + { + DIR *ret; + +-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR) +- DIR *pwd; +- const Direntry_t *dirent; +- char smallbuf[256]; /* XXX MAXPATHLEN, surely? */ +- char *name = NULL; +- STRLEN len = 0; +- long pos; +-#endif +- + PERL_UNUSED_CONTEXT; + PERL_ARGS_ASSERT_DIRP_DUP; + +@@ -13672,89 +13663,13 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE + if (ret) + return ret; + +-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR) ++#ifdef HAS_FDOPENDIR + + PERL_UNUSED_ARG(param); + +- /* create anew */ +- +- /* open the current directory (so we can switch back) */ +- if (!(pwd = PerlDir_open("."))) return (DIR *)NULL; +- +- /* chdir to our dir handle and open the present working directory */ +- if (fchdir(my_dirfd(dp)) < 0 || !(ret = PerlDir_open("."))) { +- PerlDir_close(pwd); +- return (DIR *)NULL; +- } +- /* Now we should have two dir handles pointing to the same dir. */ +- +- /* Be nice to the calling code and chdir back to where we were. */ +- /* XXX If this fails, then what? */ +- PERL_UNUSED_RESULT(fchdir(my_dirfd(pwd))); +- +- /* We have no need of the pwd handle any more. */ +- PerlDir_close(pwd); +- +-#ifdef DIRNAMLEN +-# define d_namlen(d) (d)->d_namlen +-#else +-# define d_namlen(d) strlen((d)->d_name) +-#endif +- /* Iterate once through dp, to get the file name at the current posi- +- tion. Then step back. */ +- pos = PerlDir_tell(dp); +- if ((dirent = PerlDir_read(dp))) { +- len = d_namlen(dirent); +- if (len > sizeof(dirent->d_name) && sizeof(dirent->d_name) > PTRSIZE) { +- /* If the len is somehow magically longer than the +- * maximum length of the directory entry, even though +- * we could fit it in a buffer, we could not copy it +- * from the dirent. Bail out. */ +- PerlDir_close(ret); +- return (DIR*)NULL; +- } +- if (len <= sizeof smallbuf) name = smallbuf; +- else Newx(name, len, char); +- Move(dirent->d_name, name, len, char); +- } +- PerlDir_seek(dp, pos); +- +- /* Iterate through the new dir handle, till we find a file with the +- right name. */ +- if (!dirent) /* just before the end */ +- for(;;) { +- pos = PerlDir_tell(ret); +- if (PerlDir_read(ret)) continue; /* not there yet */ +- PerlDir_seek(ret, pos); /* step back */ +- break; +- } +- else { +- const long pos0 = PerlDir_tell(ret); +- for(;;) { +- pos = PerlDir_tell(ret); +- if ((dirent = PerlDir_read(ret))) { +- if (len == (STRLEN)d_namlen(dirent) +- && memEQ(name, dirent->d_name, len)) { +- /* found it */ +- PerlDir_seek(ret, pos); /* step back */ +- break; +- } +- /* else we are not there yet; keep iterating */ +- } +- else { /* This is not meant to happen. The best we can do is +- reset the iterator to the beginning. */ +- PerlDir_seek(ret, pos0); +- break; +- } +- } +- } +-#undef d_namlen +- +- if (name && name != smallbuf) +- Safefree(name); +-#endif ++ ret = fdopendir(dup(my_dirfd(dp))); + +-#ifdef WIN32 ++#elif defined(WIN32) + ret = win32_dirp_dup(dp, param); + #endif + +diff -up perl-5.32.1/t/op/threads-dirh.t.cve perl-5.32.1/t/op/threads-dirh.t +--- perl-5.32.1/t/op/threads-dirh.t.cve 2020-12-18 10:58:59.000000000 +0100 ++++ perl-5.32.1/t/op/threads-dirh.t 2025-06-12 15:18:13.613888598 +0200 +@@ -13,16 +13,12 @@ BEGIN { + skip_all_if_miniperl("no dynamic loading on miniperl, no threads"); + skip_all("runs out of memory on some EBCDIC") if $ENV{PERL_SKIP_BIG_MEM_TESTS}; + +- plan(6); ++ plan(1); + } + + use strict; + use warnings; + use threads; +-use threads::shared; +-use File::Path; +-use File::Spec::Functions qw 'updir catdir'; +-use Cwd 'getcwd'; + + # Basic sanity check: make sure this does not crash + fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh'; +@@ -31,101 +27,3 @@ fresh_perl_is <<'# this is no comment', + async{}->join for 1..2; + print "ok"; + # this is no comment +- +-my $dir; +-SKIP: { +- skip "telldir or seekdir not defined on this platform", 5 +- if !$Config::Config{d_telldir} || !$Config::Config{d_seekdir}; +- my $skip = sub { +- chdir($dir); +- chdir updir; +- skip $_[0], 5 +- }; +- +- if(!$Config::Config{d_fchdir} && $^O ne "MSWin32") { +- $::TODO = 'dir handle cloning currently requires fchdir on non-Windows platforms'; +- } +- +- my @w :shared; # warnings accumulator +- local $SIG{__WARN__} = sub { push @w, $_[0] }; +- +- $dir = catdir getcwd(), "thrext$$" . int rand() * 100000; +- +- rmtree($dir) if -d $dir; +- mkdir($dir); +- +- # Create a dir structure like this: +- # $dir +- # | +- # `- toberead +- # | +- # +---- thrit +- # | +- # +---- rile +- # | +- # `---- zor +- +- chdir($dir); +- mkdir 'toberead'; +- chdir 'toberead'; +- {open my $fh, ">thrit" or &$skip("Cannot create file thrit")} +- {open my $fh, ">rile" or &$skip("Cannot create file rile")} +- {open my $fh, ">zor" or &$skip("Cannot create file zor")} +- chdir updir; +- +- # Then test that dir iterators are cloned correctly. +- +- opendir my $toberead, 'toberead'; +- my $start_pos = telldir $toberead; +- my @first_2 = (scalar readdir $toberead, scalar readdir $toberead); +- my @from_thread = @{; async { [readdir $toberead ] } ->join }; +- my @from_main = readdir $toberead; +- is join('-', sort @from_thread), join('-', sort @from_main), +- 'dir iterator is copied from one thread to another'; +- like +- join('-', "", sort(@first_2, @from_thread), ""), +- qr/(?join, 'undef', +- 'cloned dir iterator that points to the end of the directory' +- ; +- } +- +- # Make sure the cloning code can handle file names longer than 255 chars +- SKIP: { +- chdir 'toberead'; +- open my $fh, +- ">floccipaucinihilopilification-" +- . "pneumonoultramicroscopicsilicovolcanoconiosis-" +- . "lopadotemachoselachogaleokranioleipsanodrimypotrimmatosilphiokarabo" +- . "melitokatakechymenokichlepikossyphophattoperisteralektryonoptokephal" +- . "liokinklopeleiolagoiosiraiobaphetraganopterygon" +- or +- chdir updir, +- skip("OS does not support long file names (and I mean *long*)", 1); +- chdir updir; +- opendir my $dirh, "toberead"; +- my $test_name +- = "dir iterators can be cloned when the next fn > 255 chars"; +- while() { +- my $pos = telldir $dirh; +- my $fn = readdir($dirh); +- if(!defined $fn) { fail($test_name); last SKIP; } +- if($fn =~ 'lagoio') { +- seekdir $dirh, $pos; +- last; +- } +- } +- is length async { scalar readdir $dirh } ->join, 258, $test_name; +- } +- +- is scalar @w, 0, 'no warnings during all that' or diag @w; +- chdir updir; +-} +-rmtree($dir); +diff -up perl-5.32.1/win32/config.gc.cve perl-5.32.1/win32/config.gc +--- perl-5.32.1/win32/config.gc.cve 2025-06-12 15:18:13.613973713 +0200 ++++ perl-5.32.1/win32/config.gc 2025-06-12 15:51:59.231406911 +0200 +@@ -198,6 +198,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir='undef' + d_fds_bits='define' + d_fegetround='undef' + d_fgetpos='define' +diff -up perl-5.32.1/win32/config.vc.cve perl-5.32.1/win32/config.vc +--- perl-5.32.1/win32/config.vc.cve 2025-06-12 15:18:13.614094010 +0200 ++++ perl-5.32.1/win32/config.vc 2025-06-12 15:52:27.690228864 +0200 +@@ -198,6 +198,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir='undef' + d_fds_bits='define' + d_fegetround='undef' + d_fgetpos='define' diff --git a/SOURCES/perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch b/SOURCES/perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch new file mode 100644 index 0000000..e72206b --- /dev/null +++ b/SOURCES/perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch @@ -0,0 +1,27 @@ +From 3de37537d6d4f0321645973790ecc9805266501f Mon Sep 17 00:00:00 2001 +From: Leon Timmermans +Date: Mon, 9 Jun 2025 23:05:39 +0200 +Subject: [PATCH] Use PerlLIO_dup_cloexec in Perl_dirp_dup to set O_CLOEXEC + +dup doesn't mark the new descriptor as close-on-exec, which can lead to +a descriptor leaking to the new process. +--- + sv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sv.c b/sv.c +index 8a005b2d16..06d6a84211 100644 +--- a/sv.c ++++ b/sv.c +@@ -14111,7 +14111,7 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param) + + PERL_UNUSED_ARG(param); + +- ret = fdopendir(dup(my_dirfd(dp))); ++ ret = fdopendir(PerlLIO_dup_cloexec(my_dirfd(dp))); + + #elif defined(WIN32) + ret = win32_dirp_dup(dp, param); +-- +2.50.0 + diff --git a/SPECS/perl.spec b/SPECS/perl.spec index a201595..cdd2f37 100644 --- a/SPECS/perl.spec +++ b/SPECS/perl.spec @@ -100,7 +100,7 @@ License: GPL+ or Artistic Epoch: %{perl_epoch} Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 481%{?dist} +Release: 481.1%{?dist} Summary: Practical Extraction and Report Language Url: https://www.perl.org/ Source0: https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz @@ -284,6 +284,10 @@ Patch58: perl-5.33.8-Fix-broken-left-shift-of-IV_MIN-under-use-integer.pa # CVE-2023-47038 Patch59: perl-5.32.1-CVE-2023-47038.patch +# Fix CVE-2025-40909 - Fixed in upstream since 5.42.0 +Patch60: perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch +Patch61: perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -4348,6 +4352,8 @@ you're not running VMS, this module does nothing. %patch57 -p1 %patch58 -p1 %patch59 -p1 +%patch60 -p1 +%patch61 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 @@ -4407,6 +4413,7 @@ perl -x patchlevel.h \ 'Fedora Patch57: Fix dumping a hash entry of PL_strtab type' \ 'Fedora Patch58: Fix an arithmetic left shift of a minimal integer value (GH#18639)' \ 'RHEL Patch59: Fix write past buffer end via illegal user-defined Unicode property (CVE-2023-47038)' \ + 'RHEL Patch60: Fix CVE-2025-40909' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ 'Fedora Patch202: Add definition of OPTIMIZE to .ph files (bug #2159759)' \ @@ -5359,6 +5366,8 @@ rm %{buildroot}%{_mandir}/man3/version::Internals.3* %check %if %{with test} %{new_perl} -I/lib regen/lib_cleanup.pl +%{new_perl} -Ilib Porting/checkcfgvar.pl --regen --default=undef +%{new_perl} -Ilib regen/uconfig_h.pl pushd t %{new_perl} -I../lib porting/customized.t --regen popd @@ -7182,6 +7191,9 @@ popd # Old changelog entries are preserved in CVS. %changelog +* Thu Jul 03 2025 Jitka Plesnikova - 4:5.32.1-481.1 +- Fixes: CVE-2025-40909 - Clone dirhandles without fchdir + * Mon Nov 27 2023 Jitka Plesnikova - 4:5.32.1-481 - Fixes: CVE-2023-47038