From 343693da3333d5137e2233469f1cb28b3b33dfb4 Mon Sep 17 00:00:00 2001
From: Celeste <20312-Celeste@users.gitlab.alpinelinux.org>
Date: Sun, 13 Apr 2025 18:52:35 +0000
Subject: [PATCH] main/perl: patch CVE-2024-56406

---
 main/perl/APKBUILD             |  6 +++++-
 main/perl/CVE-2024-56406.patch | 26 ++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 main/perl/CVE-2024-56406.patch

diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD
index 61aa295eac3..946d6b48a0e 100644
--- a/main/perl/APKBUILD
+++ b/main/perl/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=perl
 pkgver=5.38.3
-pkgrel=0
+pkgrel=1
 pkgdesc="Larry Wall's Practical Extraction and Report Language"
 url="https://www.perl.org/"
 arch="all"
@@ -16,6 +16,7 @@ source="https://www.cpan.org/src/5.0/perl-$pkgver.tar.xz
 	musl-skip-dst-test.patch
 	skip-test-due-to-busybox-ps.patch
 	musl-stack-size.patch
+	CVE-2024-56406.patch
 	"
 # creates empty usr/local/{lib,share} for local sitedirs
 options="!fhs"
@@ -26,6 +27,8 @@ provides="
 	"
 
 # secfixes:
+#   5.38.3-r1:
+#     - CVE-2024-56406
 #   5.38.1-r0:
 #     - CVE-2023-47038
 #   5.34.0-r1:
@@ -192,4 +195,5 @@ sha512sums="
 3eaec691bc38e208ba4f34130ae45e50b6c339fa50093d0b0f6d7f24cb5b7c2a3734ca714a279c4b51173f82e46a8e7a3e70bfc7d7471a18c55a2102140e4186  musl-skip-dst-test.patch
 ba9cb1ff4a6e8e4c31bf4ef132c071ac919ffe45842cf5e98c8ca72d78ef4803883b57a0e7b8037da0079561a6ce9e6bd8d127892ac1bcb047638cb3ba3157f6  skip-test-due-to-busybox-ps.patch
 c004d6612ec754e5947255a2e2d15b5581f187c32495aeeec9f4fa286919bd9f40c72b63db61e3f4004b09288af2063a6a14b67e5c289e9a8b23ebd7c216e16f  musl-stack-size.patch
+45bc05ea9efa9e527ecff4a4796b97fa34cbdf86e736d968c7cca90b372f2b7f4f351b577e4d61d71d6250088735bbf193e757467dc29c568fbc4c15baef9aba  CVE-2024-56406.patch
 "
diff --git a/main/perl/CVE-2024-56406.patch b/main/perl/CVE-2024-56406.patch
new file mode 100644
index 00000000000..a1b9add3744
--- /dev/null
+++ b/main/perl/CVE-2024-56406.patch
@@ -0,0 +1,26 @@
+From 87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Wed, 18 Dec 2024 18:25:29 -0700
+Subject: [PATCH] CVE-2024-56406: Heap-buffer-overflow with tr//
+
+This was due to underallocating needed space.  If the translation forces
+something to become UTF-8 that is initially bytes, that UTF-8 could
+now require two bytes where previously a single one would do.
+
+(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
+---
+ op.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/op.c b/op.c
+index 69ff030e88eb..298b2926338a 100644
+--- a/op.c
++++ b/op.c
+@@ -6881,6 +6881,7 @@ S_pmtrans(pTHX_ OP *o, OP *expr, OP *repl)
+                  * same time.  But otherwise one crosses before the other */
+                 if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
+                     can_force_utf8 = TRUE;
++                    max_expansion = MAX(2, max_expansion);
+                 }
+             }
+