On Wed, Jul 02, 2025 at 11:29:08PM +0000, Yang Wang wrote:
> Package: perl
> Version: 5.36.0-7+deb12u3
> Severity: minor
> Tags: patch
> X-Debbugs-Cc: t...@security.debian.org
>
> Dear Maintainer,
>
> The recent upstream CVE-2025-40909, which describes a race condition in
> directory handle duplication when using threads, affects Perl in Bookworm as
> well.
>
> I have prepared a minimal backport patch for Bookworm's perl
> (5.36.0-7+deb12u3), based on the upstream commits and Debian's fixes already
> applied to trixie/sid.
This is not fixed in trixie or sid yet, see #1108676. I think
that is a pre-condition for fixing it in stable.
> The patch only touches:
> - sv.c
> - t/op/threads-dirh.t
>
> This matches upstream and sid's fix without introducing broader changes or
> requiring regeneration of configuration files.
I think this version just closes any open directory handles when spawning
new threads, rather than cloning them as the old code did (and the new code
is supposed to do).
This is because nothing defines HAS_FDOPENDIR as you've removed the
relevant configuration probe.
The reduced functionality can be seen with for example
perl -Mthreads -E 'opendir(D, "/"); threads->create(sub {say for readdir
D})->join'
which should list files in the root directory but no longer does with
your patch.
Also, if this gets fixed later to actually take the fdopendir code path,
I think this later commit in the upstream stable branches (maint-5.38,
maint-5.40) should also be included:
https://github.com/Perl/perl5/commit/0bb170146084d626e1ff0dee1936b9eb92a68cf9
FWIW I'd personally prefer to use the full upstream patches rather than
mangling this one further. That's what I did for the proposed sid/trixie
fix. But I'm not going to block someone else taking responsibility and
doing things differently.
--
Niko Tyni nt...@debian.org
