From f4025eb2068b29333fab98661bb4252031b0852d Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Wed, 4 Jun 2025 11:23:17 +0800
Subject: [PATCH] Fix CVE-2025-40908

(cherry picked from commit 0b053475f9f9113a56c7f02d7de9da264bf3723b)
---
 CVE-2025-40908.patch   | 29 +++++++++++++++++++++++++++++
 perl-YAML-LibYAML.spec |  6 +++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-40908.patch

diff --git a/CVE-2025-40908.patch b/CVE-2025-40908.patch
new file mode 100644
index 0000000..913da4b
--- /dev/null
+++ b/CVE-2025-40908.patch
@@ -0,0 +1,29 @@
+From 5fe9daed726c06900c3cd41a739460057bec6dc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
+Date: Wed, 29 Jan 2025 21:17:28 +0100
+Subject: [PATCH] Use 3-arg form of open in LoadFile
+
+Origin: https://github.com/ingydotnet/yaml-libyaml-pm/pull/121
+
+Fixes https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
+
+Otherwise `$filename = ">file.yaml"; LoadFile($filename)` will truncate a file.
+
+One should check untrusted filenames in any case, though.
+---
+ lib/YAML/XS.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/YAML/XS.pm b/lib/YAML/XS.pm
+index 66ff5ba..e8df694 100644
+--- a/lib/YAML/XS.pm
++++ b/lib/YAML/XS.pm
+@@ -54,7 +54,7 @@ sub LoadFile {
+         $IN = $filename;
+     }
+     else {
+-        open $IN, $filename
++        open $IN, '<', $filename
+           or die "Can't open '$filename' for input:\n$!";
+     }
+     return YAML::XS::LibYAML::Load(do { local $/; local $_ = <$IN> });
diff --git a/perl-YAML-LibYAML.spec b/perl-YAML-LibYAML.spec
index 98848fb..f036644 100644
--- a/perl-YAML-LibYAML.spec
+++ b/perl-YAML-LibYAML.spec
@@ -1,11 +1,12 @@
 Name:           perl-YAML-LibYAML
 Epoch:          1
 Version:        0.88
-Release:        1
+Release:        2
 Summary:        Perl YAML Serialization using XS and libyaml
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/YAML-LibYAML
 Source0:        https://cpan.metacpan.org/modules/by-module/YAML/YAML-LibYAML-%{version}.tar.gz
+Patch0:         CVE-2025-40908.patch
 
 BuildRequires:  coreutils findutils perl-devel perl-generators perl-interpreter perl(Config)
 BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76 perl(B::Deparse) perl(base) perl(constant)
@@ -57,6 +58,9 @@ find %{buildroot} -type f -name '*.bs' -empty -exec rm {} \;
 %{_mandir}/man3/YAML::*
 
 %changelog
+* Wed Jun 04 2025 wangkai <13474090681@163.com> - 1:0.88-2
+- Fix CVE-2025-40908
+
 * Sat Sep 09 2023 yaoxin <yao_xin001@hoperun.com> - 1:0.88-1
 - Update to 0.88
 
-- 
Gitee