import UBI perl-5.32.1-481.1.el9_6

2025-07-28 02:46:00 +00:00 · 2025-07-28 02:46:00 +00:00 · 1a6f934b52
commit 1a6f934b52
parent c31360de6c
3 changed files with 421 additions and 1 deletions
--- a/SOURCES/perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch
+++ b/SOURCES/perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch
@ -0,0 +1,381 @@
 Subject: [PATCH] CVE-2025-40909: Clone dirhandles without fchdir
 This uses fdopendir and dup to dirhandles. This means it won't change
 working directory during thread cloning, which prevents race conditions
 that can happen if a third thread is active at the same time.
 Backport commit 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9
 diff -up perl-5.32.1/Configure.cve perl-5.32.1/Configure
 --- perl-5.32.1/Configure.cve	2025-06-12 15:18:13.366791277 +0200
 +++ perl-5.32.1/Configure	2025-06-12 15:20:54.387096470 +0200
@@ -475,6 +475,7 @@ d_fd_set=''
 d_fds_bits=''
 d_fdclose=''
 d_fdim=''
 +d_fdopendir=''
 d_fegetround=''
 d_fgetpos=''
 d_finite=''
@@ -13241,6 +13242,10 @@ esac
 set i_fcntl
 eval $setvar
 +: see if fdopendir exists
 +set fdopendir d_fdopendir
 +eval $inlibc
 +
 : see if fork exists
 set fork d_fork
 eval $inlibc
@@ -24198,6 +24203,7 @@ d_flockproto='$d_flockproto'
 d_fma='$d_fma'
 d_fmax='$d_fmax'
 d_fmin='$d_fmin'
 +d_fdopendir='$d_fdopendir'
 d_fork='$d_fork'
 d_fp_class='$d_fp_class'
 d_fp_classify='$d_fp_classify'
 diff -up perl-5.32.1/Cross/config.sh-arm-linux.cve perl-5.32.1/Cross/config.sh-arm-linux
 --- perl-5.32.1/Cross/config.sh-arm-linux.cve	2025-06-12 15:18:13.606796218 +0200
 +++ perl-5.32.1/Cross/config.sh-arm-linux	2025-06-12 15:27:33.358714520 +0200
@@ -211,6 +211,7 @@ d_fd_macros='define'
 d_fd_set='define'
 d_fdclose='undef'
 d_fdim='undef'
 +d_fdopendir=undef
 d_fds_bits='undef'
 d_fegetround='define'
 d_fgetpos='define'
 diff -up perl-5.32.1/Cross/config.sh-arm-linux-n770.cve perl-5.32.1/Cross/config.sh-arm-linux-n770
 --- perl-5.32.1/Cross/config.sh-arm-linux-n770.cve	2025-06-12 15:18:13.607831916 +0200
 +++ perl-5.32.1/Cross/config.sh-arm-linux-n770	2025-06-12 15:28:08.455410574 +0200
@@ -210,6 +210,7 @@ d_fd_macros='define'
 d_fd_set='define'
 d_fdclose='undef'
 d_fdim='undef'
 +d_fdopendir=undef
 d_fds_bits='undef'
 d_fegetround='define'
 d_fgetpos='define'
 diff -up perl-5.32.1/Porting/Glossary.cve perl-5.32.1/Porting/Glossary
 --- perl-5.32.1/Porting/Glossary.cve	2020-12-18 11:04:35.000000000 +0100
 +++ perl-5.32.1/Porting/Glossary	2025-06-12 15:18:13.608796260 +0200
@@ -924,6 +924,11 @@ d_fmin (d_fmin.U):
 	This variable conditionally defines the HAS_FMIN symbol, which
 	indicates to the C program that the fmin() routine is available.
 +d_fdopendir (d_fdopendir.U):
 +	This variable conditionally defines the HAS_FORK symbol, which
 +	indicates that the fdopen routine is available to open a
 +	directory descriptor.
 +
 d_fork (d_fork.U):
 	This variable conditionally defines the HAS_FORK symbol, which
 	indicates to the C program that the fork() routine is available.
 diff -up perl-5.32.1/Porting/config.sh.cve perl-5.32.1/Porting/config.sh
 --- perl-5.32.1/Porting/config.sh.cve	2025-06-12 15:18:13.609577374 +0200
 +++ perl-5.32.1/Porting/config.sh	2025-06-12 15:29:08.146187860 +0200
@@ -224,6 +224,7 @@ d_fd_macros='define'
 d_fd_set='define'
 d_fdclose='undef'
 d_fdim='define'
 +d_fdopendir='define'
 d_fds_bits='undef'
 d_fegetround='define'
 d_fgetpos='define'
 diff -up perl-5.32.1/config_h.SH.cve perl-5.32.1/config_h.SH
 --- perl-5.32.1/config_h.SH.cve	2020-12-18 11:04:35.000000000 +0100
 +++ perl-5.32.1/config_h.SH	2025-06-12 15:18:13.610137533 +0200
@@ -142,6 +142,12 @@ sed <<!GROK!THIS! >$CONFIG_H -e 's!^#und
  */
 #$d_fcntl HAS_FCNTL		/**/
 +/* HAS_FDOPENDIR:
 + * This symbol, if defined, indicates that the fdopen routine is
 + * available to open a directory descriptor.
 + */
 +#$d_fdopendir HAS_FDOPENDIR		/**/
 +
 /* HAS_FGETPOS:
  *	This symbol, if defined, indicates that the fgetpos routine is
  *	available to get the file position indicator, similar to ftell().
 diff -up perl-5.32.1/configure.com.cve perl-5.32.1/configure.com
 --- perl-5.32.1/configure.com.cve	2025-06-12 15:18:13.611119869 +0200
 +++ perl-5.32.1/configure.com	2025-06-12 15:29:59.751443189 +0200
@@ -6221,6 +6221,7 @@ $ WC "d_fd_set='" + d_fd_set + "'"
 $ WC "d_fd_macros='define'"
 $ WC "d_fdclose='undef'"
 $ WC "d_fdim='" + d_fdim + "'"
 +$ WC "d_fdopendir='undef'"
 $ WC "d_fds_bits='define'"
 $ WC "d_fegetround='undef'"
 $ WC "d_fgetpos='define'"
 diff -up perl-5.32.1/plan9/config_sh.sample.cve perl-5.32.1/plan9/config_sh.sample
 --- perl-5.32.1/plan9/config_sh.sample.cve	2025-06-12 15:18:13.611894290 +0200
 +++ perl-5.32.1/plan9/config_sh.sample	2025-06-12 15:30:33.729918831 +0200
@@ -211,6 +211,7 @@ d_fd_macros='undef'
 d_fd_set='undef'
 d_fdclose='undef'
 d_fdim='undef'
 +d_fdopendir=undef
 d_fds_bits='undef'
 d_fegetround='undef'
 d_fgetpos='define'
 diff -up perl-5.32.1/sv.c.cve perl-5.32.1/sv.c
 --- perl-5.32.1/sv.c.cve	2025-06-12 15:18:13.455793109 +0200
 +++ perl-5.32.1/sv.c	2025-06-12 15:50:45.130375604 +0200
@@ -13652,15 +13652,6 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE
 {
     DIR *ret;
 -#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR)
 -    DIR *pwd;
 -    const Direntry_t *dirent;
 -    char smallbuf[256]; /* XXX MAXPATHLEN, surely? */
 -    char *name = NULL;
 -    STRLEN len = 0;
 -    long pos;
 -#endif
 -
     PERL_UNUSED_CONTEXT;
     PERL_ARGS_ASSERT_DIRP_DUP;
@@ -13672,89 +13663,13 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE
     if (ret)
 	return ret;
 -#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR)
 +#ifdef HAS_FDOPENDIR
     PERL_UNUSED_ARG(param);
 -    /* create anew */
 -
 -    /* open the current directory (so we can switch back) */
 -    if (!(pwd = PerlDir_open("."))) return (DIR *)NULL;
 -
 -    /* chdir to our dir handle and open the present working directory */
 -    if (fchdir(my_dirfd(dp)) < 0 || !(ret = PerlDir_open("."))) {
 -	PerlDir_close(pwd);
 -	return (DIR *)NULL;
 -    }
 -    /* Now we should have two dir handles pointing to the same dir. */
 -
 -    /* Be nice to the calling code and chdir back to where we were. */
 -    /* XXX If this fails, then what? */
 -    PERL_UNUSED_RESULT(fchdir(my_dirfd(pwd)));
 -
 -    /* We have no need of the pwd handle any more. */
 -    PerlDir_close(pwd);
 -
 -#ifdef DIRNAMLEN
 -# define d_namlen(d) (d)->d_namlen
 -#else
 -# define d_namlen(d) strlen((d)->d_name)
 -#endif
 -    /* Iterate once through dp, to get the file name at the current posi-
 -       tion. Then step back. */
 -    pos = PerlDir_tell(dp);
 -    if ((dirent = PerlDir_read(dp))) {
 -	len = d_namlen(dirent);
 -        if (len > sizeof(dirent->d_name) && sizeof(dirent->d_name) > PTRSIZE) {
 -            /* If the len is somehow magically longer than the
 -             * maximum length of the directory entry, even though
 -             * we could fit it in a buffer, we could not copy it
 -             * from the dirent.  Bail out. */
 -            PerlDir_close(ret);
 -            return (DIR*)NULL;
 -        }
 -	if (len <= sizeof smallbuf) name = smallbuf;
 -	else Newx(name, len, char);
 -	Move(dirent->d_name, name, len, char);
 -    }
 -    PerlDir_seek(dp, pos);
 -
 -    /* Iterate through the new dir handle, till we find a file with the
 -       right name. */
 -    if (!dirent) /* just before the end */
 -	for(;;) {
 -	    pos = PerlDir_tell(ret);
 -	    if (PerlDir_read(ret)) continue; /* not there yet */
 -	    PerlDir_seek(ret, pos); /* step back */
 -	    break;
 -	}
 -    else {
 -	const long pos0 = PerlDir_tell(ret);
 -	for(;;) {
 -	    pos = PerlDir_tell(ret);
 -	    if ((dirent = PerlDir_read(ret))) {
 -		if (len == (STRLEN)d_namlen(dirent)
 -                    && memEQ(name, dirent->d_name, len)) {
 -		    /* found it */
 -		    PerlDir_seek(ret, pos); /* step back */
 -		    break;
 -		}
 -		/* else we are not there yet; keep iterating */
 -	    }
 -	    else { /* This is not meant to happen. The best we can do is
 -	              reset the iterator to the beginning. */
 -		PerlDir_seek(ret, pos0);
 -		break;
 -	    }
 -	}
 -    }
 -#undef d_namlen
 -
 -    if (name && name != smallbuf)
 -	Safefree(name);
 -#endif
 +    ret = fdopendir(dup(my_dirfd(dp)));
 -#ifdef WIN32
 +#elif defined(WIN32)
     ret = win32_dirp_dup(dp, param);
 #endif
 diff -up perl-5.32.1/t/op/threads-dirh.t.cve perl-5.32.1/t/op/threads-dirh.t
 --- perl-5.32.1/t/op/threads-dirh.t.cve	2020-12-18 10:58:59.000000000 +0100
 +++ perl-5.32.1/t/op/threads-dirh.t	2025-06-12 15:18:13.613888598 +0200
@@ -13,16 +13,12 @@ BEGIN {
      skip_all_if_miniperl("no dynamic loading on miniperl, no threads");
      skip_all("runs out of memory on some EBCDIC") if $ENV{PERL_SKIP_BIG_MEM_TESTS};
 -     plan(6);
 +     plan(1);
 }
 use strict;
 use warnings;
 use threads;
 -use threads::shared;
 -use File::Path;
 -use File::Spec::Functions qw 'updir catdir';
 -use Cwd 'getcwd';
 # Basic sanity check: make sure this does not crash
 fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh';
@@ -31,101 +27,3 @@ fresh_perl_is <<'# this is no comment',
    async{}->join for 1..2;
    print "ok";
 # this is no comment
 -
 -my $dir;
 -SKIP: {
 - skip "telldir or seekdir not defined on this platform", 5
 -    if !$Config::Config{d_telldir} || !$Config::Config{d_seekdir};
 - my $skip = sub {
 -   chdir($dir);
 -   chdir updir;
 -   skip $_[0], 5
 - };
 -
 - if(!$Config::Config{d_fchdir} && $^O ne "MSWin32") {
 -  $::TODO = 'dir handle cloning currently requires fchdir on non-Windows platforms';
 - }
 -
 - my @w :shared; # warnings accumulator
 - local $SIG{__WARN__} = sub { push @w, $_[0] };
 -
 - $dir = catdir getcwd(), "thrext$$" . int rand() * 100000;
 -
 - rmtree($dir) if -d $dir;
 - mkdir($dir);
 -
 - # Create a dir structure like this:
 - #   $dir
 - #     |
 - #     `- toberead
 - #            |
 - #            +---- thrit
 - #            |
 - #            +---- rile
 - #            |
 - #            `---- zor
 -
 - chdir($dir);
 - mkdir 'toberead';
 - chdir 'toberead';
 - {open my $fh, ">thrit" or &$skip("Cannot create file thrit")}
 - {open my $fh, ">rile" or &$skip("Cannot create file rile")}
 - {open my $fh, ">zor" or &$skip("Cannot create file zor")}
 - chdir updir;
 -
 - # Then test that dir iterators are cloned correctly.
 -
 - opendir my $toberead, 'toberead';
 - my $start_pos = telldir $toberead;
 - my @first_2 = (scalar readdir $toberead, scalar readdir $toberead);
 - my @from_thread = @{; async { [readdir $toberead ] } ->join };
 - my @from_main = readdir $toberead;
 - is join('-', sort @from_thread), join('-', sort @from_main),
 -     'dir iterator is copied from one thread to another';
 - like
 -   join('-', "", sort(@first_2, @from_thread), ""),
 -   qr/(?<!-rile)-rile-thrit-zor-(?!zor-)/i,
 -  'cloned iterator iterates exactly once over everything not already seen';
 -
 - seekdir $toberead, $start_pos;
 - readdir $toberead for 1 .. @first_2+@from_thread;
 - {
 -  local $::TODO; # This always passes when dir handles are not cloned.
 -  is
 -    async { readdir $toberead // 'undef' } ->join, 'undef',
 -   'cloned dir iterator that points to the end of the directory'
 -  ;
 - }
 -
 - # Make sure the cloning code can handle file names longer than 255 chars
 - SKIP: {
 -  chdir 'toberead';
 -  open my $fh,
 -    ">floccipaucinihilopilification-"
 -   . "pneumonoultramicroscopicsilicovolcanoconiosis-"
 -   . "lopadotemachoselachogaleokranioleipsanodrimypotrimmatosilphiokarabo"
 -   . "melitokatakechymenokichlepikossyphophattoperisteralektryonoptokephal"
 -   . "liokinklopeleiolagoiosiraiobaphetraganopterygon"
 -    or
 -     chdir updir,
 -     skip("OS does not support long file names (and I mean *long*)", 1);
 -  chdir updir;
 -  opendir my $dirh, "toberead";
 -  my $test_name
 -    = "dir iterators can be cloned when the next fn > 255 chars";
 -  while() {
 -   my $pos = telldir $dirh;
 -   my $fn = readdir($dirh);
 -   if(!defined $fn) { fail($test_name); last SKIP; }
 -   if($fn =~ 'lagoio') { 
 -    seekdir $dirh, $pos;
 -    last;
 -   }
 -  }
 -  is length async { scalar readdir $dirh } ->join, 258, $test_name;
 - }
 -
 - is scalar @w, 0, 'no warnings during all that' or diag @w;
 - chdir updir;
 -}
 -rmtree($dir);
 diff -up perl-5.32.1/win32/config.gc.cve perl-5.32.1/win32/config.gc
 --- perl-5.32.1/win32/config.gc.cve	2025-06-12 15:18:13.613973713 +0200
 +++ perl-5.32.1/win32/config.gc	2025-06-12 15:51:59.231406911 +0200
@@ -198,6 +198,7 @@ d_fd_macros='define'
 d_fd_set='define'
 d_fdclose='undef'
 d_fdim='undef'
 +d_fdopendir='undef'
 d_fds_bits='define'
 d_fegetround='undef'
 d_fgetpos='define'
 diff -up perl-5.32.1/win32/config.vc.cve perl-5.32.1/win32/config.vc
 --- perl-5.32.1/win32/config.vc.cve	2025-06-12 15:18:13.614094010 +0200
 +++ perl-5.32.1/win32/config.vc	2025-06-12 15:52:27.690228864 +0200
@@ -198,6 +198,7 @@ d_fd_macros='define'
 d_fd_set='define'
 d_fdclose='undef'
 d_fdim='undef'
 +d_fdopendir='undef'
 d_fds_bits='define'
 d_fegetround='undef'
 d_fgetpos='define'
--- a/SOURCES/perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch
+++ b/SOURCES/perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch
@ -0,0 +1,27 @@
 From 3de37537d6d4f0321645973790ecc9805266501f Mon Sep 17 00:00:00 2001
 From: Leon Timmermans <fawaka@gmail.com>
 Date: Mon, 9 Jun 2025 23:05:39 +0200
 Subject: [PATCH] Use PerlLIO_dup_cloexec in Perl_dirp_dup to set O_CLOEXEC
 dup doesn't mark the new descriptor as close-on-exec, which can lead to
 a descriptor leaking to the new process.
 ---
 sv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/sv.c b/sv.c
 index 8a005b2d16..06d6a84211 100644
 --- a/sv.c
 +++ b/sv.c
@@ -14111,7 +14111,7 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param)
     PERL_UNUSED_ARG(param);
 -    ret = fdopendir(dup(my_dirfd(dp)));
 +    ret = fdopendir(PerlLIO_dup_cloexec(my_dirfd(dp)));
 #elif defined(WIN32)
     ret = win32_dirp_dup(dp, param);
 -- 
 2.50.0
--- a/SPECS/perl.spec
+++ b/SPECS/perl.spec
@ -100,7 +100,7 @@ License:        GPL+ or Artistic
 Epoch:          %{perl_epoch}
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        481%{?dist}
+Release:        481.1%{?dist}
 Summary:        Practical Extraction and Report Language
 Url:            https://www.perl.org/
 Source0:        https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz
@ -284,6 +284,10 @@ Patch58:        perl-5.33.8-Fix-broken-left-shift-of-IV_MIN-under-use-integer.pa
 # CVE-2023-47038
 Patch59:        perl-5.32.1-CVE-2023-47038.patch
 # Fix CVE-2025-40909 - Fixed in upstream since 5.42.0
 Patch60:        perl-5.42.0-CVE-2025-40909-Clone-dirhandles-without-fchdir.patch
 Patch61:        perl-5.42.0-Use-PerlLIO_dup_cloexec-in-Perl_dirp_dup-to-set-O_CL.patch
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -4348,6 +4352,8 @@ you're not running VMS, this module does nothing.
 %patch57 -p1
 %patch58 -p1
 %patch59 -p1
 %patch60 -p1
 %patch61 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
@ -4407,6 +4413,7 @@ perl -x patchlevel.h \
    'Fedora Patch57: Fix dumping a hash entry of PL_strtab type' \
    'Fedora Patch58: Fix an arithmetic left shift of a minimal integer value (GH#18639)' \
    'RHEL Patch59: Fix write past buffer end via illegal user-defined Unicode property (CVE-2023-47038)' \
    'RHEL Patch60: Fix CVE-2025-40909' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    'Fedora Patch202: Add definition of OPTIMIZE to .ph files (bug #2159759)' \
@ -5359,6 +5366,8 @@ rm %{buildroot}%{_mandir}/man3/version::Internals.3*
 %check
 %if %{with test}
 %{new_perl} -I/lib regen/lib_cleanup.pl
 %{new_perl} -Ilib Porting/checkcfgvar.pl --regen --default=undef
 %{new_perl} -Ilib regen/uconfig_h.pl
 pushd t
 %{new_perl} -I../lib porting/customized.t --regen
 popd
@ -7182,6 +7191,9 @@ popd
 # Old changelog entries are preserved in CVS.
 %changelog
 * Thu Jul 03 2025 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.32.1-481.1
 - Fixes: CVE-2025-40909 - Clone dirhandles without fchdir
 * Mon Nov 27 2023 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.32.1-481
 - Fixes: CVE-2023-47038