diff --git a/pkgs/development/interpreters/perl/CVE-2026-8376.patch b/pkgs/development/interpreters/perl/CVE-2026-8376.patch new file mode 100644 index 000000000000..c8ad72298178 --- /dev/null +++ b/pkgs/development/interpreters/perl/CVE-2026-8376.patch @@ -0,0 +1,20 @@ +Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly. + +diff --git a/regcomp_study.c b/regcomp_study.c +index b513454a4258..1602663f4b26 100644 +--- a/regcomp_study.c ++++ b/regcomp_study.c +@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_ + (U8 *) SvEND(data->last_found)) + - (U8*)s; + l -= old; ++ ++ if (l > 0 && ++ (mincount >= SSize_t_MAX / (SSize_t)l ++ || old > SSize_t_MAX - mincount * (SSize_t)l)) { ++ FAIL("Regexp out of space"); ++ } ++ + /* Get the added string: */ + last_str = newSVpvn_utf8(s + old, l, UTF); + last_chrs = UTF ? utf8_length((U8*)(s + old), diff --git a/pkgs/development/interpreters/perl/interpreter.nix b/pkgs/development/interpreters/perl/interpreter.nix index fce8e1c9e0f0..cdb03912b517 100644 --- a/pkgs/development/interpreters/perl/interpreter.nix +++ b/pkgs/development/interpreters/perl/interpreter.nix @@ -36,6 +36,8 @@ let commonPatches = [ # Do not look in /usr etc. for dependencies. ./no-sys-dirs.patch + + ./CVE-2026-8376.patch ] # Fix build on Solaris on x86_64 @@ -79,6 +81,61 @@ let # Some more details: https://arsv.github.io/perl-cross/modules.html ++ lib.optional crossCompiling ./cross.patch; + # Inject fixed CPAN releases for bundled dual-life distributions until the + # next perl maintenance release includes them. + vendoredPerlDistributions = [ + { + # CVE-2026-7010 + path = "cpan/HTTP-Tiny"; + src = fetchurl { + url = "mirror://cpan/authors/id/H/HA/HAARG/HTTP-Tiny-0.094.tar.gz"; + hash = "sha256-poQemfwbVdFd6VlHzL17dnvsxRxxAhl/qPBE333cB0M="; + }; + } + { + # CVE-2026-3381, CVE-2026-4176 + path = "cpan/Compress-Raw-Zlib"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Zlib-2.222.tar.gz"; + hash = "sha256-Hf19URplVifIGBXTDTurwo+luIRV/wP4sECZ3LUShrg="; + }; + } + { + # Runtime dependency of IO-Compress 2.220. + path = "cpan/Compress-Raw-Bzip2"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.218.tar.gz"; + hash = "sha256-iRU+ai69pSNJSTsHT6S3VJ/x+QU952E8GKXgXFtBX6g="; + }; + } + { + # CVE-2026-48962, CVE-2026-48961, CVE-2026-48959 + path = "cpan/IO-Compress"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/IO-Compress-2.220.tar.gz"; + hash = "sha256-nZbqKR8sVO82fHOWuFfZO6GsHEsvG84T7Yo+Xz7rtic="; + }; + } + { + # CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 + path = "cpan/Archive-Tar"; + src = fetchurl { + url = "mirror://cpan/authors/id/B/BI/BINGOS/Archive-Tar-3.12.tar.gz"; + hash = "sha256-ARTvObZfSfiWgoOrR3Gdfoj5jXNg/jZJvjMcf1PVgyw="; + }; + } + ]; + + replaceVendoredPerlDistributions = lib.concatMapStringsSep "\n" (d: '' + rm -rf ${d.path} + mkdir -p ${d.path} + + tar --strip-components=1 -C ${d.path} -xf ${d.src} + + # Remove executable bits to make t/porting/exec-bit.t happy. + find ${d.path} -type f -exec chmod a-x {} + + '') vendoredPerlDistributions; + libc = if stdenv.cc.libc or null != null then stdenv.cc.libc else "/usr"; libcInc = lib.getDev libc; libcLib = lib.getLib libc; @@ -136,10 +193,10 @@ stdenv.mkDerivation ( --replace "/bin/pwd" "$(type -P pwd)" '' ) - + - # Perl's build system uses the src variable, and its value may end up in - # the output in some cases (when cross-compiling) - '' + + replaceVendoredPerlDistributions + + '' + # Perl's build system uses the src variable, and its value may end up in + # the output in some cases (when cross-compiling). unset src '';