diff --git a/1000-CVE-2024-56406.patch b/1000-CVE-2024-56406.patch new file mode 100644 index 0000000000000000000000000000000000000000..288c7d28e1218492c7e4863c38224adb13726be2 --- /dev/null +++ b/1000-CVE-2024-56406.patch @@ -0,0 +1,24 @@ +From e0bce716273d941537771637ef077ff397a06f9b Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 23:52:12 -0400 +Subject: [PATCH 1/1] fix CVE-2024-56406 + +--- + op.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/op.c b/op.c +index 748a268..65bfaee 100644 +--- a/op.c ++++ b/op.c +@@ -7605,6 +7605,7 @@ S_pmtrans(pTHX_ OP *o, OP *expr, OP *repl) + * same time. But otherwise one crosses before the other */ + if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) { + can_force_utf8 = TRUE; ++ max_expansion = MAX(2, max_expansion); + } + } + +-- +2.41.0 + diff --git a/perl.spec b/perl.spec index 8bab9343fd0f6755cb68ed69d1152db13b3f4cc9..fd4730d853200818c8e1405142303da83f399409 100644 --- a/perl.spec +++ b/perl.spec @@ -1,5 +1,5 @@ # anolis_release number must be even higher, because dual-lived modules will be broken otherwise -%define anolis_release 16 +%define anolis_release 17 %global perl_version 5.36.3 %global perl_epoch 4 @@ -66,7 +66,8 @@ Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li Patch201: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-MM-on-Linux.patch Patch202: perl-5.36.0-Add-definition-of-OPTIMIZE-to-.ph-files.patch Patch203: perl-5.36.3-add-Perl_my_strlcat-and-Perl_my_strlcpy-symbol.patch - +# From https://kkgithub.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd +Patch204: 1000-CVE-2024-56406.patch BuildRequires: bash bzip2-devel coreutils findutils gcc glibc-common make BuildRequires: sed tar zlib-devel BuildRequires: gcc @@ -2580,6 +2581,9 @@ LC_ALL=C TEST_JOBS=$JOBS make test_harness %{_mandir}/man3/vmsish.* %changelog +* Mon Jun 24 2025 lzq11122 - 5.36.3-17 +- add patch to fix CVE-2024-56406 + * Wed Apr 2 2025 Kaiqiang Wang - 5.36.3-16 - add Perl_my_strlcat and Perl_my_strlcpy symbol