mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-06 17:13:24 -05:00
Perl ships with some CPAN modules vendored as "dual-life", this commit inject updated versions certain modules directly from CPAN rather than applying patches from upstream, as they can be tricky to maintain. It also includes a patch for CVE-2026-8376 which affects 32-bit platforms. - perl: CVE-2026-83765e7f119eb2- HTTP-Tiny 0.094: CVE-2026-7010 https://metacpan.org/release/HAARG/HTTP-Tiny-0.094/changes - Compress-Raw-Zlib 2.222: CVE-2026-3381, CVE-2026-4176 https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.222/changes - Compress-Raw-Bzip2 2.218 https://metacpan.org/release/PMQS/Compress-Raw-Bzip2-2.218/changes - IO-Compress 2.220: CVE-2026-48959, CVE-2026-48961, CVE-2026-48962 https://metacpan.org/release/PMQS/IO-Compress-2.220/changes - Archive-Tar 3.12: CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 https://metacpan.org/release/BINGOS/Archive-Tar-3.12/changes Assisted-by: Codex (OpenAI) Signed-off-by: Stig Palmquist <git@stig.io> (cherry picked from commitd59aeb80e5)
20 lines
956 B
Diff
20 lines
956 B
Diff
Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly.
|
|
|
|
diff --git a/regcomp_study.c b/regcomp_study.c
|
|
index b513454a4258..1602663f4b26 100644
|
|
--- a/regcomp_study.c
|
|
+++ b/regcomp_study.c
|
|
@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_
|
|
(U8 *) SvEND(data->last_found))
|
|
- (U8*)s;
|
|
l -= old;
|
|
+
|
|
+ if (l > 0 &&
|
|
+ (mincount >= SSize_t_MAX / (SSize_t)l
|
|
+ || old > SSize_t_MAX - mincount * (SSize_t)l)) {
|
|
+ FAIL("Regexp out of space");
|
|
+ }
|
|
+
|
|
/* Get the added string: */
|
|
last_str = newSVpvn_utf8(s + old, l, UTF);
|
|
last_chrs = UTF ? utf8_length((U8*)(s + old),
|