public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Jitka Plesnikova <jplesnik@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/perl-Archive-Tar] f43: Fix CVE-2026-42496 (rhbz#2484320)
Date: Wed, 03 Jun 2026 11:31:43 GMT [thread overview]
Message-ID: <178048630364.1.16890612272693616307.rpms-perl-Archive-Tar-bc874cebf099@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/perl-Archive-Tar
Branch : f43
Commit : bc874cebf0991711bfb425c57adb0e96a6d3665b
Author : Jitka Plesnikova <jplesnik@redhat.com>
Date : 2026-06-03T13:31:32+02:00
Stats : +77/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/perl-Archive-Tar/c/bc874cebf0991711bfb425c57adb0e96a6d3665b?branch=f43
Log:
Fix CVE-2026-42496 (rhbz#2484320)
---
diff --git a/Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch b/Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch
new file mode 100644
index 0000000..cc67179
--- /dev/null
+++ b/Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch
@@ -0,0 +1,70 @@
+Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE
+
+Backported from version 3.08 (commit: 17c8734)
+
+diff -up Archive-Tar-3.04/lib/Archive/Tar.pm.orig Archive-Tar-3.04/lib/Archive/Tar.pm
+--- Archive-Tar-3.04/lib/Archive/Tar.pm.orig 2025-02-25 21:19:34.000000000 +0100
++++ Archive-Tar-3.04/lib/Archive/Tar.pm 2026-06-03 13:06:51.596627121 +0200
+@@ -954,6 +954,19 @@ sub _make_special_file {
+ my $err;
+
+ if( $entry->is_symlink ) {
++ if( !$INSECURE_EXTRACT_MODE ) {
++ my $linkname = $entry->linkname;
++ if( File::Spec->file_name_is_absolute($linkname) ) {
++ $self->_error( qq[Symlink '] . $entry->full_path .
++ qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] );
++ return;
++ }
++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++ $self->_error( qq[Symlink '] . $entry->full_path .
++ qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] );
++ return;
++ }
++ }
+ my $fail;
+ if( ON_UNIX ) {
+ symlink( $entry->linkname, $file ) or $fail++;
+@@ -967,6 +980,23 @@ sub _make_special_file {
+ $entry->linkname .q[' failed] if $fail;
+
+ } elsif ( $entry->is_hardlink ) {
++ if( !$INSECURE_EXTRACT_MODE ) {
++ my $linkname = $entry->linkname;
++ if( File::Spec->file_name_is_absolute($linkname) ) {
++ $self->_error( qq[Hardlink '] . $entry->full_path .
++ qq[' has absolute target '$linkname'. Not extracting ] .
++ qq[under SECURE EXTRACT MODE: extraction itself chmods ] .
++ qq[the shared inode.] );
++ return;
++ }
++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++ $self->_error( qq[Hardlink '] . $entry->full_path .
++ qq[' target '$linkname' attempts traversal. Not ] .
++ qq[extracting under SECURE EXTRACT MODE: extraction ] .
++ qq[itself chmods the shared inode.] );
++ return;
++ }
++ }
+ my $fail;
+ if( ON_UNIX ) {
+ link( $entry->linkname, $file ) or $fail++;
+diff -up Archive-Tar-3.04/t/04_resolved_issues.t.orig Archive-Tar-3.04/t/04_resolved_issues.t
+--- Archive-Tar-3.04/t/04_resolved_issues.t.orig 2025-02-25 21:13:37.000000000 +0100
++++ Archive-Tar-3.04/t/04_resolved_issues.t 2026-06-03 13:04:22.486837206 +0200
+@@ -220,6 +220,7 @@ if ($^O ne 'msys') # symlink tests fail
+ }
+
+ { #use case 1 - in memory extraction
++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+ my $t=Archive::Tar->new;
+ $t->read( $archname );
+ my $r = eval{ $t->extract };
+@@ -231,6 +232,7 @@ if ($^O ne 'msys') # symlink tests fail
+
+ { #use case 2 - iter extraction
+ #$DB::single = 2;
++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+ my $next=Archive::Tar->iter( $archname, 1 );
+ my $failed = 0;
+ #use Data::Dumper;
diff --git a/perl-Archive-Tar.spec b/perl-Archive-Tar.spec
index b290a88..622c765 100644
--- a/perl-Archive-Tar.spec
+++ b/perl-Archive-Tar.spec
@@ -7,13 +7,15 @@
Name: perl-Archive-Tar
Version: 3.04
-Release: 521%{?dist}
+Release: 522%{?dist}
Summary: A module for Perl manipulation of .tar files
License: GPL-1.0-or-later OR Artistic-1.0-Perl
URL: https://metacpan.org/release/Archive-Tar
Source0: https://cpan.metacpan.org/authors/id/B/BI/BINGOS/Archive-Tar-%{version}.tar.gz
# Remove annoying sleep after warnings in the build script
Patch0: Archive-Tar-2.02-Do-not-sleep-in-Makefile.PL.patch
+# Fix CVE-2026-42496
+Patch1: Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch
BuildArch: noarch
# Most of the BRS are needed only for tests, compression support at run-time
# is optional soft dependency.
@@ -107,6 +109,7 @@ with "%{_libexecdir}/%{name}/test".
%prep
%setup -q -n Archive-Tar-%{version}
%patch -P0 -p1
+%patch -P1 -p1
# Help generators to recognize Perl scripts
for F in t/*.t; do
@@ -158,6 +161,9 @@ make test
%{_libexecdir}/%{name}
%changelog
+* Wed Jun 03 2026 Jitka Plesnikova <jplesnik@redhat.com> - 3.04-522
+- Fix CVE-2026-42496 (rhbz#2484320)
+
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.04-521
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
reply other threads:[~2026-06-03 11:31 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178048630364.1.16890612272693616307.rpms-perl-Archive-Tar-bc874cebf099@fedoraproject.org \
--to=jplesnik@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox