[AutoPR- Security] Patch perl for CVE-2026-48962, CVE-2026-48959, CVE-2026-42496, CVE-2025-15649 [HIGH] (microsoft#17602)

Co-authored-by: Aditya Singh <v-aditysing@microsoft.com>

Author: azurelinux-security

SPECS/perl/CVE-2025-15649.patch

@@ -0,0 +1,54 @@
+From 2be341be8403ed34f41340405ce56529270a4c96 Mon Sep 17 00:00:00 2001
+From: pmqs <pmqs@cpan.org>
+Date: Sat, 25 Oct 2025 19:50:08 +0100
+Subject: [PATCH] Enhance _dosToUnixTime to handle zero and invalid datetime
+ values; add tests for edge cases. Fixes #65
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch
+---
+ cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm b/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm
+index f1d806b..2b97b6e 100644
+--- a/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm
++++ b/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm
+@@ -802,8 +802,16 @@ sub filterUncompressed
+ # from Archive::Zip & info-zip
+ sub _dosToUnixTime
+ {
++        # Returns zero when $dt is already zero or it doesn't expand to a value that Time::Local::timelocal()
++        # can handle.
++
+ 	my $dt = shift;
+ 
++        # warn "_dosToUnixTime dt=[$dt]\n";
++
++        # some zip files don't populate the datetime field at all
++        return 0 if ! $dt;
++
+ 	my $year = ( ( $dt >> 25 ) & 0x7f ) + 80;
+ 	my $mon  = ( ( $dt >> 21 ) & 0x0f ) - 1;
+ 	my $mday = ( ( $dt >> 16 ) & 0x1f );
+@@ -813,10 +821,15 @@ sub _dosToUnixTime
+ 	my $sec  = ( ( $dt << 1 ) & 0x3e );
+ 
+     use Time::Local ;
+-    my $time_t = Time::Local::timelocal( $sec, $min, $hour, $mday, $mon, $year);
++
++    my $time_t ;
++    # wrap in an eval to catch out of range errors
++    eval {
++        $time_t = Time::Local::timelocal( $sec, $min, $hour, $mday, $mon, $year);
++    } ;
++
+     return 0 if ! defined $time_t;
+     return $time_t;
+-
+ }
+ 
+ #sub scanCentralDirectory
+-- 
+2.45.4
+

SPECS/perl/CVE-2026-42496.patch

@@ -0,0 +1,84 @@
+From 2a8c5c216e721aae28ad5c7456fe74158955c62b Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <stig@stig.io>
+Date: Thu, 21 May 2026 19:59:21 +0100
+Subject: [PATCH] Validate symlink and hardlink linkname in SECURE MODE
+
+Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch
+---
+ cpan/Archive-Tar/lib/Archive/Tar.pm     | 30 +++++++++++++++++++++++++
+ cpan/Archive-Tar/t/04_resolved_issues.t |  2 ++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 476e646..4c73823 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -944,6 +944,19 @@ sub _make_special_file {
+     my $err;
+ 
+     if( $entry->is_symlink ) {
++        if( !$INSECURE_EXTRACT_MODE ) {
++            my $linkname = $entry->linkname;
++            if( File::Spec->file_name_is_absolute($linkname) ) {
++                $self->_error( qq[Symlink '] . $entry->full_path .
++                    qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] );
++                return;
++            }
++            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++                $self->_error( qq[Symlink '] . $entry->full_path .
++                    qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] );
++                return;
++            }
++        }
+         my $fail;
+         if( ON_UNIX ) {
+             symlink( $entry->linkname, $file ) or $fail++;
+@@ -957,6 +970,23 @@ sub _make_special_file {
+                 $entry->linkname .q[' failed] if $fail;
+ 
+     } elsif ( $entry->is_hardlink ) {
++        if( !$INSECURE_EXTRACT_MODE ) {
++            my $linkname = $entry->linkname;
++            if( File::Spec->file_name_is_absolute($linkname) ) {
++                $self->_error( qq[Hardlink '] . $entry->full_path .
++                    qq[' has absolute target '$linkname'. Not extracting ] .
++                    qq[under SECURE EXTRACT MODE: extraction itself chmods ] .
++                    qq[the shared inode.] );
++                return;
++            }
++            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
++                $self->_error( qq[Hardlink '] . $entry->full_path .
++                    qq[' target '$linkname' attempts traversal. Not ] .
++                    qq[extracting under SECURE EXTRACT MODE: extraction ] .
++                    qq[itself chmods the shared inode.] );
++                return;
++            }
++        }
+         my $fail;
+         if( ON_UNIX ) {
+             link( $entry->linkname, $file ) or $fail++;
+diff --git a/cpan/Archive-Tar/t/04_resolved_issues.t b/cpan/Archive-Tar/t/04_resolved_issues.t
+index fc713cd..a0ce3d9 100644
+--- a/cpan/Archive-Tar/t/04_resolved_issues.t
++++ b/cpan/Archive-Tar/t/04_resolved_issues.t
+@@ -219,6 +219,7 @@ SKIP: {
+ 		}
+ 
+     { #use case 1 - in memory extraction
++      local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+ 			my $t=Archive::Tar->new;
+ 			$t->read( $archname );
+ 			my $r = eval{ $t->extract };
+@@ -230,6 +231,7 @@ SKIP: {
+ 
+ 		{ #use case 2 - iter extraction
+ 		  #$DB::single = 2;
++      local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
+ 			my $next=Archive::Tar->iter( $archname, 1 );
+ 			my $failed = 0;
+ 			#use Data::Dumper;
+-- 
+2.45.4
+

SPECS/perl/CVE-2026-48959.patch

@@ -0,0 +1,29 @@
+From ea1152d046eb5a747f3ab0b5e3922ba4749227ca Mon Sep 17 00:00:00 2001
+From: pmqs <pmqs@cpan.org>
+Date: Fri, 15 May 2026 23:18:39 +0100
+Subject: [PATCH] Fix typo in fastForward #72
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch
+---
+ cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm b/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm
+index 981c4e9..e867944 100644
+--- a/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm
++++ b/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm
+@@ -157,8 +157,8 @@ sub fastForward
+ 
+     while ($offset > 0)
+     {
+-        $c = length $offset
+-            if length $offset < $c ;
++        $c = $offset
++            if $offset < $c ;
+ 
+         $offset -= $c;
+ 
+-- 
+2.45.4
+

SPECS/perl/CVE-2026-48962.patch

@@ -0,0 +1,166 @@
+From 80dbc85d1a78dd2ab85e3c0e325d38359d66e0dc Mon Sep 17 00:00:00 2001
+From: pmqs <pmqs@cpan.org>
+Date: Sat, 16 May 2026 17:48:34 +0100
+Subject: [PATCH] remove use of eval in globmapper. #73
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
+---
+ cpan/IO-Compress/lib/File/GlobMapper.pm | 52 ++++++++++++++++++++-----
+ cpan/IO-Compress/t/globmapper.t         | 52 ++++++++++++++++++++++++-
+ 2 files changed, 94 insertions(+), 10 deletions(-)
+
+diff --git a/cpan/IO-Compress/lib/File/GlobMapper.pm b/cpan/IO-Compress/lib/File/GlobMapper.pm
+index f015b16..8936146 100644
+--- a/cpan/IO-Compress/lib/File/GlobMapper.pm
++++ b/cpan/IO-Compress/lib/File/GlobMapper.pm
+@@ -29,6 +29,11 @@ our ($VERSION, @EXPORT_OK);
+ $VERSION = '1.001';
+ @EXPORT_OK = qw( globmap );
+ 
++our $BEGIN_DELIM = "\xFF";
++our $END_DELIM   = "\xFE";
++our $BACKSLASH_ESC = "\xFD";
++our $HASH_ESC = "\xFC";
++our $STAR_ESC = "\xFB";
+ 
+ our ($noPreBS, $metachars, $matchMetaRE, %mapping, %wildCount);
+ $noPreBS = '(?<!\\\)' ; # no preceding backslash
+@@ -310,14 +315,23 @@ sub _parseOutputGlob
+     }
+ 
+     my $noPreBS = '(?<!\\\)' ; # no preceding backslash
+-    #warn "noPreBS = '$noPreBS'\n";
++    my $noPreESC = '(?<![${BEGIN_DELIM}])' ; # no preceding backslash
+ 
+-    #$string =~ s/${noPreBS}\$(\d)/\${$1}/g;
+-    $string =~ s/${noPreBS}#(\d)/\${$1}/g;
+-    $string =~ s#${noPreBS}\*#\${inFile}#g;
+-    $string = '"' . $string . '"';
++    # escape any use of the delimiter symbols
++    # $string =~ s/(${BEGIN_DELIM}|${END_DELIM}|${BACKSLASH_ESC})/$1$1/g;
++
++    # escape \# and \*
++    $string =~ s/\\#/${HASH_ESC}/g;
++    $string =~ s/\\\*/${STAR_ESC}/g;
++
++    # Transform "#3" to BEGIN_DELIM 3 END_DELIM
++    $string =~ s/${noPreESC}#(\d)/${BEGIN_DELIM}${1}${END_DELIM}/g;
++
++    $string =~ s#\*#${BEGIN_DELIM}${END_DELIM}#g;
++
++    # print "INPUT  '$self->{InputPattern}'\n";
++    # print "OUTPUT '$self->{OutputGlob}' => '$string'\n";
+ 
+-    #print "OUTPUT '$self->{OutputGlob}' => '$string'\n";
+     $self->{OutputPattern} = $string ;
+ 
+     return 1 ;
+@@ -335,11 +349,31 @@ sub _getFiles
+         next if $inFiles{$inFile} ++ ;
+ 
+         my $outFile = $inFile ;
++        my @matches ;
++
++        my $noPreESC = '(?<![${BEGIN_DELIM}])' ; # no preceding backslash
+ 
+-        if ( $inFile =~ m/$self->{InputPattern}/ )
++        if (@matches = ($inFile =~ m/$self->{InputPattern}/ ))
+         {
+-            no warnings 'uninitialized';
+-            eval "\$outFile = $self->{OutputPattern};" ;
++            $outFile = $self->{OutputPattern};
++            my $ix = 1;
++
++            # get the filename glob
++            $outFile =~ s/${noPreESC}${BEGIN_DELIM}${END_DELIM}/$inFile/g;
++
++            # now each of the #1, #2,...
++            for my $pattern (@matches)
++            {
++                $outFile =~ s/${noPreESC}${BEGIN_DELIM}${ix}${END_DELIM}/$pattern/g;
++
++                ++ $ix;
++            }
++
++            # unescape
++            $outFile =~ s/${BEGIN_DELIM}${BEGIN_DELIM}/${BEGIN_DELIM}/g;
++            $outFile =~ s/${END_DELIM}${END_DELIM}/${END_DELIM}/g;
++            $outFile =~ s/${HASH_ESC}/#/g;
++            $outFile =~ s/${STAR_ESC}/*/g;
+ 
+             if (defined $outInMapping{$outFile})
+             {
+diff --git a/cpan/IO-Compress/t/globmapper.t b/cpan/IO-Compress/t/globmapper.t
+index c97beb6..926b5e3 100644
+--- a/cpan/IO-Compress/t/globmapper.t
++++ b/cpan/IO-Compress/t/globmapper.t
+@@ -24,7 +24,7 @@ Perl $]" )
+     $extra = 1
+         if eval { require Test::NoWarnings ;  import Test::NoWarnings; 1 };
+ 
+-    plan tests => 68 + $extra ;
++    plan tests => 76 + $extra ;
+ 
+     use_ok('File::GlobMapper') ;
+ }
+@@ -290,6 +290,56 @@ Perl $]" )
+         ], "  got mapping";
+ }
+ 
++{
++    title "check escaping";
++
++    my $tmpDir ;#= 'td';
++    my $lex = LexDir->new( $tmpDir );
++
++    my $BEGIN_DELIM = "\xFF";
++    my $END_DELIM   = "\xFE";
++
++    #mkdir $tmpDir, 0777 ;
++
++    touch map { "$tmpDir/$_.tmp" } qw( abc1 abc2 abc3 ) ;
++
++    my $map = File::GlobMapper::globmap("$tmpDir/*b*.tmp", "$tmpDir/X-${BEGIN_DELIM}#2-#1${END_DELIM}-X");
++    ok $map, "  got map"
++        or diag $File::GlobMapper::Error ;
++
++    is @{ $map }, 3, "  returned 3 maps";
++    is_deeply $map,
++        [ [map { "$tmpDir/$_" } ("abc1.tmp", "X-${BEGIN_DELIM}c1-a${END_DELIM}-X")],
++          [map { "$tmpDir/$_" } ("abc2.tmp", "X-${BEGIN_DELIM}c2-a${END_DELIM}-X")],
++          [map { "$tmpDir/$_" } ("abc3.tmp", "X-${BEGIN_DELIM}c3-a${END_DELIM}-X")],
++        ], "  got mapping";
++}
++
++{
++    title "check backslash escaping";
++
++    my $tmpDir ;#= 'td';
++    my $lex = LexDir->new( $tmpDir );
++
++    my $BEGIN_DELIM = "\xFF";
++    my $END_DELIM   = "\xFE";
++
++    #mkdir $tmpDir, 0777 ;
++
++    touch map { "$tmpDir/$_.tmp" } qw( abc1 abc2 abc3 ) ;
++
++    my $map = File::GlobMapper::globmap("$tmpDir/*b*.tmp", $tmpDir . '/X-#2-\\#1\\*-X');
++    ok $map, "  got map"
++        or diag $File::GlobMapper::Error ;
++
++    is @{ $map }, 3, "  returned 3 maps";
++    is_deeply $map,
++        [ [map { "$tmpDir/$_" } ("abc1.tmp", "X-c1-#1*-X")],
++          [map { "$tmpDir/$_" } ("abc2.tmp", "X-c2-#1*-X")],
++          [map { "$tmpDir/$_" } ("abc3.tmp", "X-c3-#1*-X")],
++        ], "  got mapping";
++}
++
+ # TODO
+ # test each of the wildcard metacharacters can be mapped to the output filename
+ #
+-- 
+2.45.4
+

SPECS/perl/perl.spec

@@ -127,7 +127,7 @@ License:        GPL+ or Artistic
 Epoch:          %{perl_epoch}
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        509%{?dist}
+Release:        510%{?dist}
 Summary:        Practical Extraction and Report Language
 Url:            https://www.perl.org/
 Vendor:         Microsoft Corporation
@@ -190,6 +190,10 @@ Patch202:       perl-5.36.0-Add-definition-of-OPTIMIZE-to-.ph-files.patch
 Patch203:       CVE-2024-56406.patch
 
 Patch204:       CVE-2025-40909.patch
+Patch205:       CVE-2025-15649.patch
+Patch206:       CVE-2026-42496.patch
+Patch207:       CVE-2026-48959.patch
+Patch208:       CVE-2026-48962.patch
 
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
@@ -6846,6 +6850,9 @@ popd
 
 # Old changelog entries are preserved in CVS.
 %changelog
+* Tue Jun 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 4:5.38.2-510
+- Patch for CVE-2026-48962, CVE-2026-48959, CVE-2026-42496, CVE-2025-15649
+
 * Wed Jun 04 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 4:5.38.2-509
 - Patch CVE-2025-40909