Google Git
Sign in
chromium/chromiumos/overlays/portage-stable/a41abb6e4bb2482790f13018e0daa024b518e1fe^!/.
commit
a41abb6e4bb2482790f13018e0daa024b518e1fe
[log] [tgz]
author
Greg Edelston <gredelston@google.com>
Mon Nov 17 20:55:22 2025
committer
Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tue Nov 18 16:55:56 2025
tree
4df8f5e040dae04dfd6f808a407ed79eac44b667
parent
481dd8668f62d9f583ea16aaa09512b0233d1d08 [diff]
dev-lang/perl: Add patch to fix CVE-2024-56406

See CVE at https://nvd.nist.gov/vuln/detail/CVE-2024-56406.

BUG=b:456336258
TEST=cros_sdk -- sudo emerge dev-lang/perl
TEST=cq

Change-Id: Ia0624bf0c7d277d06ded17f91b76249147c6878f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/portage-stable/+/7163667
Tested-by: Greg Edelston <gredelston@google.com>
Commit-Queue: Gilberto Contreras <gcontreras@google.com>
Auto-Submit: Greg Edelston <gredelston@google.com>
Reviewed-by: Gilberto Contreras <gcontreras@google.com>

diff --git a/dev-lang/perl/METADATA b/dev-lang/perl/METADATA
index 5ca1431..fb2d95c 100644
--- a/dev-lang/perl/METADATA
+++ b/dev-lang/perl/METADATA

@@ -9,6 +9,9 @@
     # http-tiny fixed by files/perl-5.36.1-http-tiny.patch
     mitigated_security_patch: "CVE-2023-31486"
 
+    # CVE-2024-56406 fixed by files/perl-5.38.2-CVE-2024-56406.patch
+    mitigated_security_patch: "CVE-2024-56406"
+
     # ChromeOS > Infra > Build
     tag: "vuln_reporting:buganizer_component:1027774"
   }

diff --git a/dev-lang/perl/Manifest b/dev-lang/perl/Manifest
index 50a9b3f..aecb4fd 100644
--- a/dev-lang/perl/Manifest
+++ b/dev-lang/perl/Manifest

@@ -1,10 +1,3 @@
-DIST perl-5.36.0-patches-1.tar.xz 20352 BLAKE2B f5413c75c5bbced230ad7fa692998caef8e4041f3394ae5212dc2aaee465de619b56cf07551be1bb36f2e06b9ed7d0ddda31ad4a7ec81d5c0c64b698ddd80379 SHA512 ab24577b6d71a13d9ccf272efa0881b29933b6a39532ca0d71d4c9a134f451bbe5f3d87c6c851f26114702ac3f92af5c5a72129a458ebee31e372106955eb157
-DIST perl-5.36.0.tar.xz 13051500 BLAKE2B e4864a4c21e5242df4164c73db8af10f7b9c36b075e0c05777abec79716db7778ccbf2c0c9e7e749518ad310019d2a6b32bd8b5ab2af5a8b16b5d920f83d034f SHA512 6dd6ac2a77566c173c5ab9c238cf555f2c3e592e89abb5600bc23ce1cbd0c349e0233f6417cbbf1f6d0aefc6a734ba491285af0d3dc68a605b658b65c89f1dab
-DIST perl-5.36.1.tar.xz 13053604 BLAKE2B baab610d16e444338ad7d529bad6a88e12010786bd25f2ab117ab4dd636859ff862cb925700095434f05a802bea5b89a9d41769f26bdbae439443020950882bd SHA512 8d1ec654c59d078bfc477f11c9526233199a85e4d4f6f5a55bf9eb7802cd355189c669cc6785d2d5e741c1de4d740b7a0cfd3c0198122586a07ac7f527fb14af
 DIST perl-5.38.0-patches-1.tar.gz 26047 BLAKE2B 809dd5242f9868e54525ae8056598d3252c889afc72ed6f122174f828947223399a5ba4dbc16dd43501f7138205991f8c102cbe0ed94175ae3353040c53a0162 SHA512 c66160e20095555aa21d3be70050dce934d62e55e01dcf0f716129b2faa390923958a48bc448b4fab6f55e5b097eb378f7a6409a92c024fe68c8b34fddcfc5e4
-DIST perl-5.38.0.tar.xz 13565448 BLAKE2B 22fd334d911e8ebe16ad2a96522110ad2c14d09dcd04d5e64391c7ffffbb8ec92dd80d3a0f8eb105fb45aef8a2f78457174133503f7aeac4d90f762a44631478 SHA512 71beff7f6daa22a967972f5805daf2d4ff837a17e5ab808780f815d5914a67acf4f2e92acac0f2d8b24bdde4ceec0c2f7cb3029b5eadeeb30191f757e1bf0f9d
 DIST perl-5.38.2.tar.xz 13679524 BLAKE2B 74250e30dde76911902a787134808dae69113c07029cdf09ab4777e7bb4e6c389cdefb9cb08be87e106a4bcd40dacaf188907d7a62c5aca22c1e374741855b39 SHA512 0ca51e447c7a18639627c281a1c7ae6662c773745ea3c86bede46336d5514ecc97ded2c61166e1ac15635581489dc596368907aa3a775b34db225b76d7402d10
-DIST perl-cross-1.4.1.tar.gz 117688 BLAKE2B e01103fb92764213dafb1ab92954fdc4bdcf1bd71a0064279ee75fed55a1c71850eaabdf667d6ab1c15eadccf7497668e5bb5ab13de33fef707fba14bfd52912 SHA512 5f403d3a52f724383d25c23b08e8001954300fa8f07a5b49df440ef4d06ef756404a6e448093c4f4d4f9a470b1c3f2b1b8b27d3d227ac1823552f6a377edd06a
-DIST perl-cross-1.4.tar.gz 113861 BLAKE2B 7c7783afccc6a04ab122a7c60b1cff7f0a2725655b2b63325ca25d7b8acb0cf993b496e2a590db943054336337ad215550b6b2a565f1d91a5aa9cfe3a4c36db4 SHA512 bde73cac13c0b42c4c6783d7e30dea491d70b65131e1c8434ef75db1f39a8e15ef5857568b706e8456faa3822402676dd247a1f20f4bed983597fdd5a6b4faad
 DIST perl-cross-1.5.2.tar.gz 120097 BLAKE2B 8703816363b41ea5fe528b192ed28b169cf0bfc3c61a9332682240bdc02f6ef0208fc0202517ba03e7c177bfbb52783c833aacaf2d16583e0f90bd58805a03ff SHA512 fb16316add0a7458f087295077518402eddaa1c759da6e268742e9ba5439cb3f1db7adcd7ef769c4a613b7518ff9e48849f60b24bd2a6daaaf6e96b59bbf0ac8
-DIST perl-cross-1.5.tar.gz 115073 BLAKE2B ecc2764beef5dd188e56c2e499297e09e03a48fe4cb3b1582005e5899d7a3e9f28b9e600a18e16560a9a1955fef6d0a543a601574991a3853c8c9cdee7acc5df SHA512 b358d79e10777118b97568329e11b6b72cfe4960f2f3c0e857de31b515bd588448ad224d182b083f4075b47fd3877decbb037e7d26d4ba090011e6e41946370f

diff --git a/dev-lang/perl/files/perl-5.38.2-CVE-2024-56406.patch b/dev-lang/perl/files/perl-5.38.2-CVE-2024-56406.patch
new file mode 100644
index 0000000..79cea6e
--- /dev/null
+++ b/dev-lang/perl/files/perl-5.38.2-CVE-2024-56406.patch

@@ -0,0 +1,25 @@
+From 87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Wed, 18 Dec 2024 18:25:29 -0700
+Subject: [PATCH] CVE-2024-56406: Heap-buffer-overflow with tr//
+
+This was due to underallocating needed space.  If the translation forces
+something to become UTF-8 that is initially bytes, that UTF-8 could
+now require two bytes where previously a single one would do.
+
+(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
+---
+ op.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/op.c b/op.c
+index 69ff030e88eb..298b2926338a 100644
+--- a/op.c
++++ b/op.c
+@@ -6881,6 +6881,7 @@ S_pmtrans(pTHX_ OP *o, OP *expr, OP *repl)
+                  * same time.  But otherwise one crosses before the other */
+                 if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
+                     can_force_utf8 = TRUE;
++                    max_expansion = MAX(2, max_expansion);
+                 }
+             }

diff --git a/dev-lang/perl/perl-5.38.2-r1.ebuild b/dev-lang/perl/perl-5.38.2-r2.ebuild
similarity index 97%
rename from dev-lang/perl/perl-5.38.2-r1.ebuild
rename to dev-lang/perl/perl-5.38.2-r2.ebuild
index 052d0b1..b0739ad 100644
--- a/dev-lang/perl/perl-5.38.2-r1.ebuild
+++ b/dev-lang/perl/perl-5.38.2-r2.ebuild

@@ -129,12 +129,12 @@
 
 	# Reinstall w/ USE Change
 	elif
-		 (   use ithreads && ! has_version dev-lang/perl[ithreads] ) || \
-		 ( ! use ithreads &&   has_version dev-lang/perl[ithreads] ) || \
-		 (   use quadmath && ! has_version dev-lang/perl[quadmath] ) || \
-		 ( ! use quadmath &&   has_version dev-lang/perl[quadmath] ) || \
-		 (   use debug    && ! has_version dev-lang/perl[debug]    ) || \
-		 ( ! use debug    &&   has_version dev-lang/perl[debug]    ) ; then
+		(   use ithreads && ! has_version dev-lang/perl[ithreads] ) || \
+		( ! use ithreads &&   has_version dev-lang/perl[ithreads] ) || \
+		(   use quadmath && ! has_version dev-lang/perl[quadmath] ) || \
+		( ! use quadmath &&   has_version dev-lang/perl[quadmath] ) || \
+		(   use debug    && ! has_version dev-lang/perl[debug]    ) || \
+		( ! use debug    &&   has_version dev-lang/perl[debug]    ) ; then
 		echo ""
 		ewarn "TOGGLED USE-FLAGS WARNING:"
 		ewarn "You changed one of the use-flags ithreads, quadmath, or debug."
@@ -408,6 +408,11 @@
 		"Fix clang check in configure" \
 		"https://github.com/Perl/perl5/issues/21099"
 
+	add_patch "${FILESDIR}/${PN}-5.38.2-CVE-2024-56406.patch" \
+		"101-5.38.2-CVE-2024-56406.patch" \
+		"CVE-2024-56406: Heap-buffer-overflow with tr//" \
+		"https://nvd.nist.gov/vuln/detail/CVE-2024-56406"
+
 	apply_patchdir
 
 	tc-is-cross-compiler && src_prepare_perlcross