Bug#1108676: unblock/pre-approval: perl / CVE-2025-40909

2025-07-08 Thread Niko Tyni 
Control: tags -1 - moreinfo

On Thu, Jul 03, 2025 at 12:37:23PM +, Ivo De Decker wrote:
> Control: tags -1 confirmed moreinfo
> 
> Hi,
> 
> On Wed, Jul 02, 2025 at 11:02:07PM +0300, Niko Tyni wrote:
> > Hi, please consider pre-approving the changes in perl/5.40.1-4
> > in experimental for sid/trixie.
> 
> Please go ahead with the upload and remove the moreinfo tag from this unblock
> request once the new upload has been in unstable for a few days, and you think
> it's ready to migrate.

Thanks, I think we're pretty much there now.
-- 
Niko

Bug#1108676: unblock/pre-approval: perl / CVE-2025-40909

2025-07-03 Thread Ivo De Decker 
Control: tags -1 confirmed moreinfo

Hi,

On Wed, Jul 02, 2025 at 11:02:07PM +0300, Niko Tyni wrote:
> Hi, please consider pre-approving the changes in perl/5.40.1-4
> in experimental for sid/trixie.

Please go ahead with the upload and remove the moreinfo tag from this unblock
request once the new upload has been in unstable for a few days, and you think
it's ready to migrate.

Thanks,

Ivo

Bug#1108676: unblock/pre-approval: perl / CVE-2025-40909

2025-07-02 Thread Niko Tyni 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:perl

Hi, please consider pre-approving the changes in perl/5.40.1-4
in experimental for sid/trixie.

This fixes #1098226 / CVE-2025-40909, a working directory race condition
during thread creation.

The severity was a bit questionable at first, but it's now considered a
proper security issue. Upstream will be releasing updates for supported
versions (5.40 and I believe 5.38 too). So I think we should follow suit.
I intend to try and fix this later also for bookworm via a point release.

The fix took a while for upstream to get right, so there's three cherry
picked commits as separate patches. Furthermore, the changes to the
top level Configure script needed two other patches so we can keep the
Configure regeneration machinery working. (See #762638 for the background
on why we have this machinery.)

Unfortunately that means the debdiff is a bit cluttered. For your
convenience, I'm also attaching the squashed version of the changes
(output of ` git diff debian/5.40.1-3 debian/5.40.1-4 ':!debian/' `)
as `perl_5.40.1-4.gitdiff`.

I uploaded this to experimental to get the "sid pseudo-excuses" debci
results. I believe we now have those and no regressions were found.

(I'm not quite sure how to confirm the test coverage, as I see no way
to query test results scheduled by others in the ci.debian.net API.
But a manual check of a random sample found successful tests for
all of them.)

I have also tested rebuilding 5331 packages in sid including all reverse
dependencies of perl and all packages matching 'lib.*perl'. I found no
regressions with those either.

If you're OK with acking this, I plan to upload the current version
unchanged expect for an 'upload to unstable' changelog entry as 5.40.1-5.

Thanks for your work on the release,
-- 
Niko
diff -Nru perl-5.40.1/debian/changelog perl-5.40.1/debian/changelog
--- perl-5.40.1/debian/changelog2025-04-12 18:34:34.0 +0300
+++ perl-5.40.1/debian/changelog2025-06-27 17:26:56.0 +0300
@@ -1,3 +1,10 @@
+perl (5.40.1-4) experimental; urgency=medium
+
+  * [SECURITY] CVE-2025-40909: Clone dirhandles without fchdir
+   (Closes: #1098226)
+
+ -- Niko Tyni   Fri, 27 Jun 2025 17:26:56 +0300
+
 perl (5.40.1-3) unstable; urgency=high
 
   * [SECURITY] CVE-2024-56406: Fix heap-buffer-overflow with tr//
diff -Nru perl-5.40.1/debian/patches/fixes/CVE-2025-40909-1.diff 
perl-5.40.1/debian/patches/fixes/CVE-2025-40909-1.diff
--- perl-5.40.1/debian/patches/fixes/CVE-2025-40909-1.diff  1970-01-01 
02:00:00.0 +0200
+++ perl-5.40.1/debian/patches/fixes/CVE-2025-40909-1.diff  2025-06-27 
17:26:56.0 +0300
@@ -0,0 +1,413 @@
+From: Leon Timmermans 
+Date: Fri, 23 May 2025 15:40:41 +0200
+Subject: CVE-2025-40909: Clone dirhandles without fchdir
+
+This uses fdopendir and dup to dirhandles. This means it won't change
+working directory during thread cloning, which prevents race conditions
+that can happen if a third thread is active at the same time.
+
+(cherry picked from commit 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9)
+
+Origin: upstream, 
https://github.com/Perl/perl5/commit/84be063eb88c5b1dd26cb4c418b94d39e60b7049
+Bug: https://github.com/Perl/perl5/issues/23010
+Bug-Debian: https://bugs.debian.org/1098226
+---
+ Configure  |   6 +++
+ Cross/config.sh-arm-linux  |   1 +
+ Cross/config.sh-arm-linux-n770 |   1 +
+ Porting/Glossary   |   5 ++
+ Porting/config.sh  |   1 +
+ config_h.SH|   6 +++
+ configure.com  |   1 +
+ plan9/config_sh.sample |   1 +
+ sv.c   |  91 ++--
+ t/op/threads-dirh.t| 104 +
+ win32/config.gc|   1 +
+ win32/config.vc|   1 +
+ 12 files changed, 28 insertions(+), 191 deletions(-)
+
+diff --git a/Configure b/Configure
+index ee4d40d..850b2f8 100755
+--- a/Configure
 b/Configure
+@@ -478,6 +478,7 @@ d_fd_set=''
+ d_fds_bits=''
+ d_fdclose=''
+ d_fdim=''
++d_fdopendir=''
+ d_fegetround=''
+ d_ffs=''
+ d_ffsl=''
+@@ -13342,6 +13343,10 @@ esac
+ set i_fcntl
+ eval $setvar
+ 
++: see if fdopendir exists
++set fdopendir d_fdopendir
++eval $inlibc
++
+ : see if fork exists
+ set fork d_fork
+ eval $inlibc
+@@ -25045,6 +25050,7 @@ d_flockproto='$d_flockproto'
+ d_fma='$d_fma'
+ d_fmax='$d_fmax'
+ d_fmin='$d_fmin'
++d_fdopendir='$d_fdopendir'
+ d_fork='$d_fork'
+ d_fp_class='$d_fp_class'
+ d_fp_classify='$d_fp_classify'
+diff --git a/Cross/config.sh-arm-linux b/Cross/config.sh-arm-linux
+index c7a6a51..f5fc63e 100644
+--- a/Cross/config.sh-arm-linux
 b/Cross/config.sh-arm-linux
+@@ -212,6 +212,7 @@ d_fd_macros='define'
+ d_fd_set='define'
+ d_fdclose='undef'
+ d_fdim='