!143 [sync] PR-141: fix CVE-2024-56406

From: @openeuler-sync-bot 
Reviewed-by: @xujing99 
Signed-off-by: @xujing99

backport-CVE-2023-47100-CVE-2023-47038.patch

@@ -42,6 +42,10 @@ This commit also does white-space adjustment so that things align
 vertically for readability.
 
 This can be easily backported to earlier Perl releases.
+
+Reference:https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb29999a5a5219be664
+Conflict:NA
+
 ---
  regcomp.c           | 17 +++++++++++------
  t/re/pat_advanced.t |  8 ++++++++
@@ -92,7 +96,7 @@ index d3c135f..67aa03e 100644
          if (cur == '_') {
              if (    stricter
 -                && (     i == 0 || (int) i == equals_pos || i == name_len- 1
-+                && ( i == i_zero || (int) i == equals_pos || i == name_len- 1
++                && (   i == i_zero || (int) i == equals_pos || i == name_len- 1
                      || ! isDIGIT_A(name[i-1]) || ! isDIGIT_A(name[i+1])))
              {
                  lookup_name[j++] = '_';

backport-CVE-2024-56406.patch

@@ -0,0 +1,26 @@
+From 87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Wed, 18 Dec 2024 18:25:29 -0700
+Subject: [PATCH] CVE-2024-56406: Heap-buffer-overflow with tr//
+
+This was due to underallocating needed space.  If the translation forces
+something to become UTF-8 that is initially bytes, that UTF-8 could
+now require two bytes where previously a single one would do.
+
+(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
+---
+ op.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/op.c b/op.c
+index 69ff030e88eb..298b2926338a 100644
+--- a/op.c
++++ b/op.c
+@@ -6520,6 +6520,7 @@
+                  * same time.  But otherwise one crosses before the other */
+                 if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
+                     can_force_utf8 = TRUE;
++                    max_expansion = MAX(2, max_expansion);
+                 }
+             }
+ 

perl-5.38.0-Link-XS-modules-to-libperl.so-with-EU-MM.patch

@@ -0,0 +1,92 @@
+From fbdb9a76798ae34a7b53f664e77aaaf1f4040f2f Mon Sep 17 00:00:00 2001
+From: zhangzikang <zhangzikang@kylinos.cn>
+Date: Wed, 20 Mar 2024 17:44:51 +0800
+Subject: [PATCH] perl-5.38.0-Link-XS-modules-to-libperl.so-with-EU-MM-on-Linux
+
+---
+ MANIFEST                                      |  1 +
+ .../lib/ExtUtils/MM_Unix.pm                   |  8 +++++-
+ .../lib/ExtUtils/CBuilder/Platform/linux.pm   | 26 +++++++++++++++++++
+ 3 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/linux.pm
+
+diff --git a/MANIFEST b/MANIFEST
+index 6bc115b..0775b2f 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -3855,6 +3855,7 @@ dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/android.pm	CBuilder method
+ dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/cygwin.pm		CBuilder methods for cygwin
+ dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/darwin.pm		CBuilder methods for darwin
+ dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/dec_osf.pm	CBuilder methods for OSF
++dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/linux.pm		CBuilder methods for Linux
+ dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/os2.pm		CBuilder methods for OS/2
+ dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/Unix.pm		CBuilder methods for Unix
+ dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/VMS.pm		CBuilder methods for VMS
+diff --git a/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm b/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm
+index 1761380..4e82dda 100644
+--- a/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm
++++ b/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm
+@@ -32,6 +32,7 @@ BEGIN {
+     $Is{IRIX}    = $^O eq 'irix';
+     $Is{NetBSD}  = $^O eq 'netbsd';
+     $Is{Interix} = $^O eq 'interix';
++    $Is{Linux}   = $^O eq 'linux';
+     $Is{SunOS4}  = $^O eq 'sunos';
+     $Is{Solaris} = $^O eq 'solaris';
+     $Is{SunOS}   = $Is{SunOS4} || $Is{Solaris};
+@@ -1074,7 +1075,7 @@ sub xs_make_dynamic_lib {
+     push(@m,"	\$(RM_F) \$\@\n");
+ 
+     my $libs = '$(LDLOADLIBS)';
+-    if (($Is{NetBSD} || $Is{Interix} || $Is{Android}) && $Config{'useshrplib'} eq 'true') {
++    if (($Is{Linux} || $Is{NetBSD} || $Is{Interix} || $Is{Android}) && $Config{'useshrplib'} eq 'true') {
+         # Use nothing on static perl platforms, and to the flags needed
+         # to link against the shared libperl library on shared perl
+         # platforms.  We peek at lddlflags to see if we need -Wl,-R
+@@ -1087,6 +1088,11 @@ sub xs_make_dynamic_lib {
+             # The Android linker will not recognize symbols from
+             # libperl unless the module explicitly depends on it.
+             $libs .= ' "-L$(PERL_INC)" -lperl';
++        } else {
++            if ($ENV{PERL_CORE}) {
++                $libs .= ' "-L$(PERL_INC)"';
++            }
++            $libs .= ' -lperl';
+         }
+     }
+ 
+diff --git a/dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/linux.pm b/dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/linux.pm
+new file mode 100644
+index 0000000..582339b
+--- /dev/null
++++ b/dist/ExtUtils-CBuilder/lib/ExtUtils/CBuilder/Platform/linux.pm
+@@ -0,0 +1,26 @@
++package ExtUtils::CBuilder::Platform::linux;
++
++use strict;
++use ExtUtils::CBuilder::Platform::Unix;
++use File::Spec;
++
++use vars qw($VERSION @ISA);
++$VERSION = '0.280230';
++our @ISA = qw(ExtUtils::CBuilder::Platform::Unix);
++
++sub link {
++  my ($self, %args) = @_;
++  my $cf = $self->{config};
++
++  # Link XS modules to libperl.so explicitly because multiple
++  # dlopen(, RTLD_LOCAL) hides libperl symbols from XS module.
++  local $cf->{lddlflags} = $cf->{lddlflags};
++  if ($ENV{PERL_CORE}) {
++    $cf->{lddlflags} .= ' -L' . $self->perl_inc();
++  }
++  $cf->{lddlflags} .= ' -lperl';
++
++  return $self->SUPER::link(%args);
++}
++
++1;
+-- 
+2.33.0
+

perl.spec

@@ -21,10 +21,10 @@
 %bcond_without systemtap
 
 Name:           perl
-License:        (GPL+ or Artistic) and (GPLv2+ or Artistic) and MIT and UCD and Public Domain and BSD
+License:        (GPL-1.0-or-later or Artistic-1.0-perl) and (GPL-2.0-or-later or Artistic-1.0-perl) and MIT and UCD and Public Domain and BSD
 Epoch:          4
 Version:        %{perl_version}
-Release:        4
+Release:        9
 Summary:        A highly capable, feature-rich programming language
 Url:            https://www.perl.org/
 Source0:        https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz
@@ -35,8 +35,10 @@ Patch3: perl-5.22.0-Install-libperl.so-to-shrpdir-on-Linux.patch
 Patch4: perl-5.34.0-Destroy-GDBM-NDBM-ODBM-SDBM-_File-objects-only-from-.patch
 Patch5: change-lib-to-lib64.patch
 Patch6: disable-rpath-by-default.patch
-Patch7: backport-CVE-2023-47038.patch
+Patch7: backport-CVE-2023-47100-CVE-2023-47038.patch
 Patch8: backport-CVE-2023-47039.patch
+Patch9: perl-5.38.0-Link-XS-modules-to-libperl.so-with-EU-MM.patch
+Patch10: backport-CVE-2024-56406.patch
 
 BuildRequires:  gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel perl-File-Compare perl-File-Find 
 BuildRequires:  zlib-devel perl-interpreter perl-generators
@@ -81,7 +83,7 @@ prototyping and large scale development projects.
 
 %package libs
 Summary:        The libraries for the perl
-License:        (GPL+ or Artistic) and HSRL and MIT and UCD
+License:        (GPL-1.0-or-later or Artistic-1.0-perl) and MIT and UCD
 Provides:       %perl_compat
 Provides:       perl(:VERSION) = %{perl_version}
 Provides:       perl(:WITH_64BIT) perl(:WITH_ITHREADS) perl(:WITH_THREADS)
@@ -94,7 +96,7 @@ This package is the shared library for perl.
 
 %package devel
 Summary:        Development files for %{name}
-License:        (GPL+ or Artistic) and UCD
+License:        (GPL-1.0-or-later or Artistic-1.0-perl) and UCD
 
 Requires:       perl = %{epoch}:%{version}-%{release} system-rpm-config
 %if %{with systemtap}
@@ -417,9 +419,7 @@ make test_harness
 %exclude %dir %{perl_vendor_datadir}
 %dir %{perl_datadir}/File
 %{perl_datadir}/File/Compare.pm
-%{_mandir}/man3/File::Compare.3*
 %{perl_datadir}/File/Find.pm
-%{_mandir}/man3/File::Find.3*
 
 %license Artistic Copying
 %doc AUTHORS
@@ -498,6 +498,21 @@ make test_harness
 %{_mandir}/man3/*
 
 %changelog
+* Mon Apr 14 2025 Funda Wang <fundawang@yeah.net> - 4:5.38.0-9
+- fix CVE-2024-56406
+
+* Tue Sep 3 2024 hongjinghao <hongjinghao@huawei.com> - 4:5.38.0-8
+- Delete the man of File::Compare and File::Find from the main package.
+
+* Wed Aug 14 2024 gengqihu <gengqihu2@h-partners.com> - 4:5.38.0-7
+- License info rectification
+
+* Wed Mar 20 2024 zhangzikang <zhangzikang@kylinos.cn> - 4:5.38.0-6
+- Fix perl re.so undefined symbol error
+
+* Mon Dec 11 2023 huyubiao <huyubiao@huawei.com> - 4:5.38.0.5
+- Fix CVE-2023-47100
+
 * Fri Dec 8 2023 hongjinghao <hongjinghao@huawei.com> - 4:5.38.0.4
 - Fix CVE-2023-48039