nixpkgs/pkgs/development/interpreters/perl/CVE-2026-8376.patch
Stig Palmquist 5613fd0d41 perl: backport security fixes
Perl ships with some CPAN modules vendored as "dual-life", this commit
inject updated versions certain modules directly from CPAN rather than
applying patches from upstream, as they can be tricky to maintain.

It also includes a patch for CVE-2026-8376 which affects 32-bit
platforms.

- perl: CVE-2026-8376
  5e7f119eb2

- HTTP-Tiny 0.094: CVE-2026-7010
  https://metacpan.org/release/HAARG/HTTP-Tiny-0.094/changes

- Compress-Raw-Zlib 2.222: CVE-2026-3381, CVE-2026-4176
  https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.222/changes

- Compress-Raw-Bzip2 2.218
  https://metacpan.org/release/PMQS/Compress-Raw-Bzip2-2.218/changes

- IO-Compress 2.220: CVE-2026-48959, CVE-2026-48961, CVE-2026-48962
  https://metacpan.org/release/PMQS/IO-Compress-2.220/changes

- Archive-Tar 3.12: CVE-2026-42496, CVE-2026-42497, CVE-2026-9538
  https://metacpan.org/release/BINGOS/Archive-Tar-3.12/changes

Assisted-by: Codex (OpenAI)
Signed-off-by: Stig Palmquist <git@stig.io>
(cherry picked from commit d59aeb80e5)
2026-06-05 11:40:01 +00:00

20 lines
956 B
Diff

Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly.
diff --git a/regcomp_study.c b/regcomp_study.c
index b513454a4258..1602663f4b26 100644
--- a/regcomp_study.c
+++ b/regcomp_study.c
@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_
(U8 *) SvEND(data->last_found))
- (U8*)s;
l -= old;
+
+ if (l > 0 &&
+ (mincount >= SSize_t_MAX / (SSize_t)l
+ || old > SSize_t_MAX - mincount * (SSize_t)l)) {
+ FAIL("Regexp out of space");
+ }
+
/* Get the added string: */
last_str = newSVpvn_utf8(s + old, l, UTF);
last_chrs = UTF ? utf8_length((U8*)(s + old),