Skip to content

perl: apply patch for CVE-2025-40909#412233

Merged
vcunat merged 1 commit intoNixOS:stagingfrom
stigtsp:perl/CVE-2025-40909
May 30, 2025
Merged

perl: apply patch for CVE-2025-40909#412233
vcunat merged 1 commit intoNixOS:stagingfrom
stigtsp:perl/CVE-2025-40909

Conversation

@stigtsp
Copy link
Member

@stigtsp stigtsp commented May 30, 2025

Fixes CVE-2025-40909

https://www.openwall.com/lists/oss-security/2025/05/22/2
https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@stigtsp stigtsp added the 1.severity: security Issues which raise a security issue, or PRs that fix one label May 30, 2025
@nix-owners nix-owners bot requested review from marcusramberg and zakame May 30, 2025 03:39
@github-actions github-actions bot added 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. labels May 30, 2025
@vcunat vcunat merged commit a809003 into NixOS:staging May 30, 2025
14 of 18 checks passed
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request May 30, 2025
Merged
1 task
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented May 30, 2025

Successfully created backport PR for staging-24.11:

@nixpkgs-ci

This comment was marked as duplicate.

Sign in to view
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request May 30, 2025
Merged
1 task
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented May 30, 2025

Successfully created backport PR for staging-25.05:

@nixpkgs-ci

This comment was marked as duplicate.

Sign in to view
@github-actions github-actions bot added the 8.has: port to stable This PR already has a backport to the stable release. label May 30, 2025
@misuzu
Copy link
Contributor

misuzu commented May 31, 2025

Looks like this change broke cross compilation (to riscv64-linux at least):

patching file installperl
make[1]: Leaving directory '/build/perl-5.40.0'
make miniperl
make[1]: Entering directory '/build/perl-5.40.0'
gcc -DPERL_CORE -DUSE_CROSS_COMPILE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fwrapv -fno-strict-aliasing -c -o miniperlmain.host.o miniperlmain.c
In file included from perl.h:49,
                 from miniperlmain.c:57:
xconfig.h:114:3: error: invalid preprocessing directive #HAS_FDOPENDIR
  114 | # HAS_FDOPENDIR         /**/
      |   ^~~~~~~~~~~~~
In file included from perl.h:7874:
sv_inline.h:566:1: warning: 'always_inline' function might not be inlinable unless also declared 'inline' [-Wattributes]
  566 | Perl_SvPVXtrue(pTHX_ SV *sv)
      | ^~~~~~~~~~~~~~
sv_inline.h:536:1: warning: 'always_inline' function might not be inlinable unless also declared 'inline' [-Wattributes]
  536 | Perl_newSV_type_mortal(pTHX_ const svtype type)
      | ^~~~~~~~~~~~~~~~~~~~~~
make[1]: *** [Makefile:114: miniperlmain.host.o] Error 1
make[1]: Leaving directory '/build/perl-5.40.0'
make: *** [Makefile:85: all] Error 2

https://hydra.ztier.in/build/11657/nixlog/684

With 88c1caa reverted pkgsCross.riscv64.perl builds

@misuzu
Copy link
Contributor

misuzu commented May 31, 2025

pkgsCross.aarch64-multiplatform.perl is affected as well

@stigtsp
Copy link
Member Author

stigtsp commented May 31, 2025

Maybe related to patches on config scripts and perl-cross, will try to have a look this evening.

@misuzu misuzu mentioned this pull request Jun 20, 2025
Merged
13 tasks
zincentimeter
zincentimeter reviewed Jun 21, 2025
View reviewed changes
pkgs/development/interpreters/perl/CVE-2025-40909.patch
d_fd_set='define'
d_fdclose='undef'
d_fdim='undef'
+d_fdopendir=undef
Copy link

@zincentimeter zincentimeter Jun 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi. I believe this line should have ' quotation mark aroung undef. This cause cross-compilation not working. Can you fix that?

zincentimeter
zincentimeter reviewed Jun 21, 2025
View reviewed changes
pkgs/development/interpreters/perl/CVE-2025-40909.patch
d_fd_set='define'
d_fdclose='undef'
d_fdim='undef'
+d_fdopendir=undef
Copy link

@zincentimeter zincentimeter Jun 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same problem mentioned before: https://github.com/NixOS/nixpkgs/pull/412233/files/88c1caa7d016c401082a44979bfde7e5e276048f#r2159996151

Copy link
Member

@vcunat vcunat Jun 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this isn't nixpkgs work. We just got the patch from upstream:
Perl/perl5@918bfff

Copy link
Member

@vcunat vcunat Jun 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i.e. such discussion should happen upstream, so that all distros can benefit.

Copy link

@zincentimeter zincentimeter Jun 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is fixed here: Perl/perl5@d19a96b

Copy link

@zincentimeter zincentimeter Jun 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the package still won't work for cross compile aarch64 after apply this patch. I eventually substitute the broken ,# HAS_FDOPENDIR to #unset HAS_FDOPENDIR in xconfig.h and config.h before buildphase. May be the problem is more complicated.

@misuzu misuzu mentioned this pull request Jun 21, 2025
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcunat vcunat vcunat left review comments

@marcusramberg marcusramberg Awaiting requested review from marcusramberg

@zakame zakame Awaiting requested review from zakame

+1 more reviewer

@zincentimeter zincentimeter zincentimeter left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@stigtsp @misuzu @vcunat @zincentimeter @leona-ya