public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/perl-Archive-Tar] f43: Fix CVE-2026-42496 (rhbz#2484320)
@ 2026-06-03 11:31 Jitka Plesnikova
0 siblings, 0 replies; only message in thread
From: Jitka Plesnikova @ 2026-06-03 11:31 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/perl-Archive-Tar
Branch : f43
Commit : bc874cebf0991711bfb425c57adb0e96a6d3665b
Author : Jitka Plesnikova <jplesnik@redhat.com>
Date : 2026-06-03T13:31:32+02:00
Stats : +77/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/perl-Archive-Tar/c/bc874cebf0991711bfb425c57adb0e96a6d3665b?branch=f43
Log:
Fix CVE-2026-42496 (rhbz#2484320)
---
diff --git a/Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch b/Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch
new file mode 100644
index 0000000..cc67179
--- /dev/null
+++ b/Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch
@@ -0,0 +1,70 @@
+Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE
+
+Backported from version 3.08 (commit: 17c8734)
+
+diff -up Archive-Tar-3.04/lib/Archive/Tar.pm.orig Archive-Tar-3.04/lib/Archive/Tar.pm
+--- Archive-Tar-3.04/lib/Archive/Tar.pm.orig 2025-02-25 21:19:34.000000000 +0100
++++ Archive-Tar-3.04/lib/Archive/Tar.pm 2026-06-03 13:06:51.596627121 +0200
+@@ -954,6 +954,19 @@ sub _make_special_file {
+ my $err;
+
+ if( $entry->is_symlink ) {
++ if( !$INSECURE_EXTRACT_MODE ) {
++ my $linkname = $entry->linkname;
++ if( File::Spec->file_name_is_absolute($linkname) ) {
++ $self->_error( qq[Symlink '] . $entry->full_path .
++ qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] );
++ return;
++ }
++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++ $self->_error( qq[Symlink '] . $entry->full_path .
++ qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] );
++ return;
++ }
++ }
+ my $fail;
+ if( ON_UNIX ) {
+ symlink( $entry->linkname, $file ) or $fail++;
+@@ -967,6 +980,23 @@ sub _make_special_file {
+ $entry->linkname .q[' failed] if $fail;
+
+ } elsif ( $entry->is_hardlink ) {
++ if( !$INSECURE_EXTRACT_MODE ) {
++ my $linkname = $entry->linkname;
++ if( File::Spec->file_name_is_absolute($linkname) ) {
++ $self->_error( qq[Hardlink '] . $entry->full_path .
++ qq[' has absolute target '$linkname'. Not extracting ] .
++ qq[under SECURE EXTRACT MODE: extraction itself chmods ] .
++ qq[the shared inode.] );
++ return;
++ }
++ if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++ $self->_error( qq[Hardlink '] . $entry->full_path .
++ qq[' target '$linkname' attempts traversal. Not ] .
++ qq[extracting under SECURE EXTRACT MODE: extraction ] .
++ qq[itself chmods the shared inode.] );
++ return;
++ }
++ }
+ my $fail;
+ if( ON_UNIX ) {
+ link( $entry->linkname, $file ) or $fail++;
+diff -up Archive-Tar-3.04/t/04_resolved_issues.t.orig Archive-Tar-3.04/t/04_resolved_issues.t
+--- Archive-Tar-3.04/t/04_resolved_issues.t.orig 2025-02-25 21:13:37.000000000 +0100
++++ Archive-Tar-3.04/t/04_resolved_issues.t 2026-06-03 13:04:22.486837206 +0200
+@@ -220,6 +220,7 @@ if ($^O ne 'msys') # symlink tests fail
+ }
+
+ { #use case 1 - in memory extraction
++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+ my $t=Archive::Tar->new;
+ $t->read( $archname );
+ my $r = eval{ $t->extract };
+@@ -231,6 +232,7 @@ if ($^O ne 'msys') # symlink tests fail
+
+ { #use case 2 - iter extraction
+ #$DB::single = 2;
++ local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+ my $next=Archive::Tar->iter( $archname, 1 );
+ my $failed = 0;
+ #use Data::Dumper;
diff --git a/perl-Archive-Tar.spec b/perl-Archive-Tar.spec
index b290a88..622c765 100644
--- a/perl-Archive-Tar.spec
+++ b/perl-Archive-Tar.spec
@@ -7,13 +7,15 @@
Name: perl-Archive-Tar
Version: 3.04
-Release: 521%{?dist}
+Release: 522%{?dist}
Summary: A module for Perl manipulation of .tar files
License: GPL-1.0-or-later OR Artistic-1.0-Perl
URL: https://metacpan.org/release/Archive-Tar
Source0: https://cpan.metacpan.org/authors/id/B/BI/BINGOS/Archive-Tar-%{version}.tar.gz
# Remove annoying sleep after warnings in the build script
Patch0: Archive-Tar-2.02-Do-not-sleep-in-Makefile.PL.patch
+# Fix CVE-2026-42496
+Patch1: Archive-Tar-3.04-Validate-symlink-and-hardlink-linkname-in-SECURE-MOD.patch
BuildArch: noarch
# Most of the BRS are needed only for tests, compression support at run-time
# is optional soft dependency.
@@ -107,6 +109,7 @@ with "%{_libexecdir}/%{name}/test".
%prep
%setup -q -n Archive-Tar-%{version}
%patch -P0 -p1
+%patch -P1 -p1
# Help generators to recognize Perl scripts
for F in t/*.t; do
@@ -158,6 +161,9 @@ make test
%{_libexecdir}/%{name}
%changelog
+* Wed Jun 03 2026 Jitka Plesnikova <jplesnik@redhat.com> - 3.04-522
+- Fix CVE-2026-42496 (rhbz#2484320)
+
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.04-521
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-03 11:31 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-03 11:31 [rpms/perl-Archive-Tar] f43: Fix CVE-2026-42496 (rhbz#2484320) Jitka Plesnikova
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox