From: "Yoann Congal" <yoann.congal@smile.fr>
To: <hprajapati@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [kirkstone][PATCH] perl: fix CVE-2025-40909
Date: Sat, 14 Mar 2026 17:02:03 +0100 [thread overview]
Message-ID: <DH2MQQRN46UP.32FYBDWM15C6I@smile.fr> (raw)
In-Reply-To: <20260227083801.544222-1-hprajapati@mvista.com>
Hello,
On Fri Feb 27, 2026 at 9:38 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Backport the patch[1] which fixes this vulnerability as mentioned in NVD report.
> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-40909
>
> [1] https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9
>
> Backport of upstream commit 918bfff (CVE-2025-40909) introduces a new
> configuration variable "d_fdopendir" which is used by config_h.SH to
> generate HAS_FDOPENDIR.
Looks to me that this fix is needed for scarthgap and whinlatter. Can
you please send an equivalent fix there first?
> In standard Perl builds this variable is detected by Configure.
> However in Yocto the perl-native/perl builds rely on
> perlcross with pre-seeded config.sh and Configure is not fully
> executed. As a result d_fdopendir may be unset, which causes
> config_h.SH to emit an invalid preprocessor directive:
>
> # HAS_FDOPENDIR
>
> leading to build failures.
>
> Additionally, leaving the variable unset disables the new code path
> introduced by the CVE fix.
>
> Seed d_fdopendir to "define" to match expected Linux/glibc behaviour
> where fdopendir() is available. This restores correct config.h
> generation and ensures the CVE fix is active.
I'm not really familiar with perl integration but instead of using sed
to patch a generated file, shouldn't we patch perl-cross with this
(submitted but not merged) PR?
https://github.com/arsv/perl-cross/pull/159/changes/f702c387e6940fab3801d7562a668b974a2b3a8f
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../perl/files/CVE-2025-40909.patch | 415 ++++++++++++++++++
> meta/recipes-devtools/perl/perl_5.34.3.bb | 2 +
> 2 files changed, 417 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2025-40909.patch
>
> diff --git a/meta/recipes-devtools/perl/files/CVE-2025-40909.patch b/meta/recipes-devtools/perl/files/CVE-2025-40909.patch
> new file mode 100644
> index 0000000000..b5cb20e112
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/files/CVE-2025-40909.patch
> @@ -0,0 +1,415 @@
> +From 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 Mon Sep 17 00:00:00 2001
> +From: Leon Timmermans <fawaka@gmail.com>
> +Date: Fri, 23 May 2025 15:40:41 +0200
> +Subject: [PATCH] CVE-2025-40909: Clone dirhandles without fchdir
> +
> +This uses fdopendir and dup to dirhandles. This means it won't change
> +working directory during thread cloning, which prevents race conditions
> +that can happen if a third thread is active at the same time.
> +
> +CVE: CVE-2025-40909
> +Upstream-Status: Backport [https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + Configure | 6 ++
> + Cross/config.sh-arm-linux | 1 +
> + Cross/config.sh-arm-linux-n770 | 1 +
> + Porting/Glossary | 5 ++
> + Porting/config.sh | 1 +
> + config_h.SH | 6 ++
> + configure.com | 1 +
> + plan9/config_sh.sample | 1 +
> + sv.c | 91 +----------------------------
> + t/op/threads-dirh.t | 104 +--------------------------------
> + win32/config.gc | 1 +
> + win32/config.vc | 1 +
> + 12 files changed, 28 insertions(+), 191 deletions(-)
> +
> +diff --git a/Configure b/Configure
> +index 913e080..b668593 100755
> +--- a/Configure
> ++++ b/Configure
> +@@ -476,6 +476,7 @@ d_fd_set=''
> + d_fds_bits=''
> + d_fdclose=''
> + d_fdim=''
> ++d_fdopendir=''
> + d_fegetround=''
> + d_fgetpos=''
> + d_finite=''
> +@@ -13222,6 +13223,10 @@ esac
> + set i_fcntl
> + eval $setvar
> +
> ++: see if fdopendir exists
> ++set fdopendir d_fdopendir
> ++eval $inlibc
> ++
> + : see if fork exists
> + set fork d_fork
> + eval $inlibc
> +@@ -24329,6 +24334,7 @@ d_flockproto='$d_flockproto'
> + d_fma='$d_fma'
> + d_fmax='$d_fmax'
> + d_fmin='$d_fmin'
> ++d_fdopendir='$d_fdopendir'
> + d_fork='$d_fork'
> + d_fp_class='$d_fp_class'
> + d_fp_classify='$d_fp_classify'
> +diff --git a/Cross/config.sh-arm-linux b/Cross/config.sh-arm-linux
> +index c472b09..4b346a3 100644
> +--- a/Cross/config.sh-arm-linux
> ++++ b/Cross/config.sh-arm-linux
> +@@ -211,6 +211,7 @@ d_fd_macros='define'
> + d_fd_set='define'
> + d_fdclose='undef'
> + d_fdim='undef'
> ++d_fdopendir='undef'
> + d_fds_bits='undef'
> + d_fegetround='define'
> + d_fgetpos='define'
> +diff --git a/Cross/config.sh-arm-linux-n770 b/Cross/config.sh-arm-linux-n770
> +index 7b10cbf..8dc2f83 100644
> +--- a/Cross/config.sh-arm-linux-n770
> ++++ b/Cross/config.sh-arm-linux-n770
> +@@ -210,6 +210,7 @@ d_fd_macros='define'
> + d_fd_set='define'
> + d_fdclose='undef'
> + d_fdim='undef'
> ++d_fdopendir='undef'
> + d_fds_bits='undef'
> + d_fegetround='define'
> + d_fgetpos='define'
> +diff --git a/Porting/Glossary b/Porting/Glossary
> +index d28e8c5..0a98386 100644
> +--- a/Porting/Glossary
> ++++ b/Porting/Glossary
> +@@ -933,6 +933,11 @@ d_fmin (d_fmin.U):
> + This variable conditionally defines the HAS_FMIN symbol, which
> + indicates to the C program that the fmin() routine is available.
> +
> ++d_fdopendir (d_fdopendir.U):
> ++ This variable conditionally defines the HAS_FORK symbol, which
> ++ indicates that the fdopen routine is available to open a
> ++ directory descriptor.
> ++
> + d_fork (d_fork.U):
> + This variable conditionally defines the HAS_FORK symbol, which
> + indicates to the C program that the fork() routine is available.
> +diff --git a/Porting/config.sh b/Porting/config.sh
> +index a88cffb..6ab32ac 100644
> +--- a/Porting/config.sh
> ++++ b/Porting/config.sh
> +@@ -227,6 +227,7 @@ d_fd_macros='define'
> + d_fd_set='define'
> + d_fdclose='undef'
> + d_fdim='define'
> ++d_fdopendir='define'
> + d_fds_bits='define'
> + d_fegetround='define'
> + d_fgetpos='define'
> +diff --git a/config_h.SH b/config_h.SH
> +index 8264f91..61040b5 100755
> +--- a/config_h.SH
> ++++ b/config_h.SH
> +@@ -142,6 +142,12 @@ sed <<!GROK!THIS! >$CONFIG_H -e 's!^#undef\(.*/\)\*!/\*#define\1 \*!' -e 's!^#un
> + */
> + #$d_fcntl HAS_FCNTL /**/
> +
> ++/* HAS_FDOPENDIR:
> ++ * This symbol, if defined, indicates that the fdopen routine is
> ++ * available to open a directory descriptor.
> ++ */
> ++#$d_fdopendir HAS_FDOPENDIR /**/
> ++
> + /* HAS_FGETPOS:
> + * This symbol, if defined, indicates that the fgetpos routine is
> + * available to get the file position indicator, similar to ftell().
> +diff --git a/configure.com b/configure.com
> +index df29582..0d80fa0 100644
> +--- a/configure.com
> ++++ b/configure.com
> +@@ -6211,6 +6211,7 @@ $ WC "d_fd_set='" + d_fd_set + "'"
> + $ WC "d_fd_macros='define'"
> + $ WC "d_fdclose='undef'"
> + $ WC "d_fdim='" + d_fdim + "'"
> ++$ WC "d_fdopendir='undef'"
> + $ WC "d_fds_bits='define'"
> + $ WC "d_fegetround='undef'"
> + $ WC "d_fgetpos='define'"
> +diff --git a/plan9/config_sh.sample b/plan9/config_sh.sample
> +index d4f6928..c87fc9b 100644
> +--- a/plan9/config_sh.sample
> ++++ b/plan9/config_sh.sample
> +@@ -211,6 +211,7 @@ d_fd_macros='undef'
> + d_fd_set='undef'
> + d_fdclose='undef'
> + d_fdim='undef'
> ++d_fdopendir='undef'
> + d_fds_bits='undef'
> + d_fegetround='undef'
> + d_fgetpos='define'
> +diff --git a/sv.c b/sv.c
> +index 46bf981..1fd16ca 100644
> +--- a/sv.c
> ++++ b/sv.c
> +@@ -13619,15 +13619,6 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param)
> + {
> + DIR *ret;
> +
> +-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR)
> +- DIR *pwd;
> +- const Direntry_t *dirent;
> +- char smallbuf[256]; /* XXX MAXPATHLEN, surely? */
> +- char *name = NULL;
> +- STRLEN len = 0;
> +- long pos;
> +-#endif
> +-
> + PERL_UNUSED_CONTEXT;
> + PERL_ARGS_ASSERT_DIRP_DUP;
> +
> +@@ -13639,89 +13630,13 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param)
> + if (ret)
> + return ret;
> +
> +-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR)
> ++#ifdef HAS_FDOPENDIR
> +
> + PERL_UNUSED_ARG(param);
> +
> +- /* create anew */
> +-
> +- /* open the current directory (so we can switch back) */
> +- if (!(pwd = PerlDir_open("."))) return (DIR *)NULL;
> +-
> +- /* chdir to our dir handle and open the present working directory */
> +- if (fchdir(my_dirfd(dp)) < 0 || !(ret = PerlDir_open("."))) {
> +- PerlDir_close(pwd);
> +- return (DIR *)NULL;
> +- }
> +- /* Now we should have two dir handles pointing to the same dir. */
> +-
> +- /* Be nice to the calling code and chdir back to where we were. */
> +- /* XXX If this fails, then what? */
> +- PERL_UNUSED_RESULT(fchdir(my_dirfd(pwd)));
> +-
> +- /* We have no need of the pwd handle any more. */
> +- PerlDir_close(pwd);
> +-
> +-#ifdef DIRNAMLEN
> +-# define d_namlen(d) (d)->d_namlen
> +-#else
> +-# define d_namlen(d) strlen((d)->d_name)
> +-#endif
> +- /* Iterate once through dp, to get the file name at the current posi-
> +- tion. Then step back. */
> +- pos = PerlDir_tell(dp);
> +- if ((dirent = PerlDir_read(dp))) {
> +- len = d_namlen(dirent);
> +- if (len > sizeof(dirent->d_name) && sizeof(dirent->d_name) > PTRSIZE) {
> +- /* If the len is somehow magically longer than the
> +- * maximum length of the directory entry, even though
> +- * we could fit it in a buffer, we could not copy it
> +- * from the dirent. Bail out. */
> +- PerlDir_close(ret);
> +- return (DIR*)NULL;
> +- }
> +- if (len <= sizeof smallbuf) name = smallbuf;
> +- else Newx(name, len, char);
> +- Move(dirent->d_name, name, len, char);
> +- }
> +- PerlDir_seek(dp, pos);
> +-
> +- /* Iterate through the new dir handle, till we find a file with the
> +- right name. */
> +- if (!dirent) /* just before the end */
> +- for(;;) {
> +- pos = PerlDir_tell(ret);
> +- if (PerlDir_read(ret)) continue; /* not there yet */
> +- PerlDir_seek(ret, pos); /* step back */
> +- break;
> +- }
> +- else {
> +- const long pos0 = PerlDir_tell(ret);
> +- for(;;) {
> +- pos = PerlDir_tell(ret);
> +- if ((dirent = PerlDir_read(ret))) {
> +- if (len == (STRLEN)d_namlen(dirent)
> +- && memEQ(name, dirent->d_name, len)) {
> +- /* found it */
> +- PerlDir_seek(ret, pos); /* step back */
> +- break;
> +- }
> +- /* else we are not there yet; keep iterating */
> +- }
> +- else { /* This is not meant to happen. The best we can do is
> +- reset the iterator to the beginning. */
> +- PerlDir_seek(ret, pos0);
> +- break;
> +- }
> +- }
> +- }
> +-#undef d_namlen
> +-
> +- if (name && name != smallbuf)
> +- Safefree(name);
> +-#endif
> ++ ret = fdopendir(dup(my_dirfd(dp)));
> +
> +-#ifdef WIN32
> ++#elif defined(WIN32)
> + ret = win32_dirp_dup(dp, param);
> + #endif
> +
> +diff --git a/t/op/threads-dirh.t b/t/op/threads-dirh.t
> +index bb4bcfc..14c399c 100644
> +--- a/t/op/threads-dirh.t
> ++++ b/t/op/threads-dirh.t
> +@@ -13,16 +13,12 @@ BEGIN {
> + skip_all_if_miniperl("no dynamic loading on miniperl, no threads");
> + skip_all("runs out of memory on some EBCDIC") if $ENV{PERL_SKIP_BIG_MEM_TESTS};
> +
> +- plan(6);
> ++ plan(1);
> + }
> +
> + use strict;
> + use warnings;
> + use threads;
> +-use threads::shared;
> +-use File::Path;
> +-use File::Spec::Functions qw 'updir catdir';
> +-use Cwd 'getcwd';
> +
> + # Basic sanity check: make sure this does not crash
> + fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh';
> +@@ -31,101 +27,3 @@ fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh';
> + async{}->join for 1..2;
> + print "ok";
> + # this is no comment
> +-
> +-my $dir;
> +-SKIP: {
> +- skip "telldir or seekdir not defined on this platform", 5
> +- if !$Config::Config{d_telldir} || !$Config::Config{d_seekdir};
> +- my $skip = sub {
> +- chdir($dir);
> +- chdir updir;
> +- skip $_[0], 5
> +- };
> +-
> +- if(!$Config::Config{d_fchdir} && $^O ne "MSWin32") {
> +- $::TODO = 'dir handle cloning currently requires fchdir on non-Windows platforms';
> +- }
> +-
> +- my @w :shared; # warnings accumulator
> +- local $SIG{__WARN__} = sub { push @w, $_[0] };
> +-
> +- $dir = catdir getcwd(), "thrext$$" . int rand() * 100000;
> +-
> +- rmtree($dir) if -d $dir;
> +- mkdir($dir);
> +-
> +- # Create a dir structure like this:
> +- # $dir
> +- # |
> +- # `- toberead
> +- # |
> +- # +---- thrit
> +- # |
> +- # +---- rile
> +- # |
> +- # `---- zor
> +-
> +- chdir($dir);
> +- mkdir 'toberead';
> +- chdir 'toberead';
> +- {open my $fh, ">thrit" or &$skip("Cannot create file thrit")}
> +- {open my $fh, ">rile" or &$skip("Cannot create file rile")}
> +- {open my $fh, ">zor" or &$skip("Cannot create file zor")}
> +- chdir updir;
> +-
> +- # Then test that dir iterators are cloned correctly.
> +-
> +- opendir my $toberead, 'toberead';
> +- my $start_pos = telldir $toberead;
> +- my @first_2 = (scalar readdir $toberead, scalar readdir $toberead);
> +- my @from_thread = @{; async { [readdir $toberead ] } ->join };
> +- my @from_main = readdir $toberead;
> +- is join('-', sort @from_thread), join('-', sort @from_main),
> +- 'dir iterator is copied from one thread to another';
> +- like
> +- join('-', "", sort(@first_2, @from_thread), ""),
> +- qr/(?<!-rile)-rile-thrit-zor-(?!zor-)/i,
> +- 'cloned iterator iterates exactly once over everything not already seen';
> +-
> +- seekdir $toberead, $start_pos;
> +- readdir $toberead for 1 .. @first_2+@from_thread;
> +- {
> +- local $::TODO; # This always passes when dir handles are not cloned.
> +- is
> +- async { readdir $toberead // 'undef' } ->join, 'undef',
> +- 'cloned dir iterator that points to the end of the directory'
> +- ;
> +- }
> +-
> +- # Make sure the cloning code can handle file names longer than 255 chars
> +- SKIP: {
> +- chdir 'toberead';
> +- open my $fh,
> +- ">floccipaucinihilopilification-"
> +- . "pneumonoultramicroscopicsilicovolcanoconiosis-"
> +- . "lopadotemachoselachogaleokranioleipsanodrimypotrimmatosilphiokarabo"
> +- . "melitokatakechymenokichlepikossyphophattoperisteralektryonoptokephal"
> +- . "liokinklopeleiolagoiosiraiobaphetraganopterygon"
> +- or
> +- chdir updir,
> +- skip("OS does not support long file names (and I mean *long*)", 1);
> +- chdir updir;
> +- opendir my $dirh, "toberead";
> +- my $test_name
> +- = "dir iterators can be cloned when the next fn > 255 chars";
> +- while() {
> +- my $pos = telldir $dirh;
> +- my $fn = readdir($dirh);
> +- if(!defined $fn) { fail($test_name); last SKIP; }
> +- if($fn =~ 'lagoio') {
> +- seekdir $dirh, $pos;
> +- last;
> +- }
> +- }
> +- is length async { scalar readdir $dirh } ->join, 258, $test_name;
> +- }
> +-
> +- is scalar @w, 0, 'no warnings during all that' or diag @w;
> +- chdir updir;
> +-}
> +-rmtree($dir);
> +diff --git a/win32/config.gc b/win32/config.gc
> +index af6fed9..7ae6f9b 100644
> +--- a/win32/config.gc
> ++++ b/win32/config.gc
> +@@ -198,6 +198,7 @@ d_fd_macros='define'
> + d_fd_set='define'
> + d_fdclose='undef'
> + d_fdim='undef'
> ++d_fdopendir='undef'
> + d_fds_bits='define'
> + d_fegetround='undef'
> + d_fgetpos='define'
> +diff --git a/win32/config.vc b/win32/config.vc
> +index f4625bf..8725177 100644
> +--- a/win32/config.vc
> ++++ b/win32/config.vc
> +@@ -198,6 +198,7 @@ d_fd_macros='define'
> + d_fd_set='define'
> + d_fdclose='undef'
> + d_fdim='undef'
> ++d_fdopendir='undef'
> + d_fds_bits='define'
> + d_fegetround='undef'
> + d_fgetpos='define'
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-devtools/perl/perl_5.34.3.bb b/meta/recipes-devtools/perl/perl_5.34.3.bb
> index c8475fc450..25c4e4991d 100644
> --- a/meta/recipes-devtools/perl/perl_5.34.3.bb
> +++ b/meta/recipes-devtools/perl/perl_5.34.3.bb
> @@ -22,6 +22,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
> file://CVE-2023-31486-0001.patch \
> file://CVE-2023-31486-0002.patch \
> file://0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch \
> + file://CVE-2025-40909.patch \
> "
> SRC_URI:append:class-native = " \
> file://perl-configpm-switch.patch \
> @@ -56,6 +57,7 @@ CVE_CHECK_IGNORE:append = " CVE-2023-47038"
>
> do_configure:prepend() {
> cp -rfp ${STAGING_DATADIR_NATIVE}/perl-cross/* ${S}
> + sed -i '1i d_fdopendir=define' ${S}/config_h.SH
> }
>
> do_configure:class-target() {
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-03-14 16:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-27 8:38 [kirkstone][PATCH] perl: fix CVE-2025-40909 Hitendra Prajapati
2026-03-06 12:16 ` Hitendra Prajapati
2026-03-08 17:28 ` [OE-core] " Yoann Congal
2026-03-14 16:02 ` Yoann Congal [this message]
2026-03-16 4:51 ` Hitendra Prajapati
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DH2MQQRN46UP.32FYBDWM15C6I@smile.fr \
--to=yoann.congal@smile.fr \
--cc=hprajapati@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox