perlPackages.DataUUID: Add patch for CVE-2013-4184

[stigtsp]

Description of changes

Adds a patch from bleargh45/Data-UUID#40 for CVE-2013-4184 to perlPackages.DataUUID. It removes the vulnerable state file functionality completely.

In the case of NixOS the state directory ended up being /build/, so saving state didn't work in our case anyway - but could maybe introduce some impurity afaik.

$ strace perl -MData::UUID -E 'say Data::UUID->new->create_b64()'
[..]
openat(AT_FDCWD, "/build/.UUID_NODEID", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
[..]
openat(AT_FDCWD, "/build/.UUID_STATE", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)

Gentoo and Debian has marked it as unimportant since it should be mitigated by fs.protected_symlinks=1:

• https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-4184
• https://security-tracker.debian.org/tracker/CVE-2013-4184

Result of nixpkgs-review run on x86_64-linux 1

45 packages built:

• gscan2pdf
• gscan2pdf.man
• hydra_unstable
• perl534Packages.CHI
• perl534Packages.CHI.devdoc
• perl534Packages.CatalystAuthenticationCredentialHTTP
• perl534Packages.CatalystAuthenticationCredentialHTTP.devdoc
• perl534Packages.DataGUID
• perl534Packages.DataGUID.devdoc
• perl534Packages.DataUUID
• perl534Packages.DataUUID.devdoc
• perl534Packages.GrowlGNTP
• perl534Packages.GrowlGNTP.devdoc
• perl534Packages.MojoSAML
• perl534Packages.MojoSAML.devdoc
• perl534Packages.MojoUserAgentCached
• perl534Packages.MojoUserAgentCached.devdoc
• perl534Packages.Test2Harness
• perl534Packages.Test2Harness.devdoc
• perl534Packages.Test2PluginUUID
• perl534Packages.Test2PluginUUID.devdoc
• perl534Packages.Workflow
• perl534Packages.Workflow.devdoc
• perl536Packages.CHI
• perl536Packages.CHI.devdoc
• perl536Packages.CatalystAuthenticationCredentialHTTP
• perl536Packages.CatalystAuthenticationCredentialHTTP.devdoc
• perl536Packages.DataGUID
• perl536Packages.DataGUID.devdoc
• perl536Packages.DataUUID
• perl536Packages.DataUUID.devdoc
• perl536Packages.GrowlGNTP
• perl536Packages.GrowlGNTP.devdoc
• perl536Packages.MojoSAML
• perl536Packages.MojoSAML.devdoc
• perl536Packages.MojoUserAgentCached
• perl536Packages.MojoUserAgentCached.devdoc
• perl536Packages.Test2Harness
• perl536Packages.Test2Harness.devdoc
• perl536Packages.Test2PluginUUID
• perl536Packages.Test2PluginUUID.devdoc
• perl536Packages.Workflow
• perl536Packages.Workflow.devdoc
• rt
• slic3r

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[stigtsp]

@GrahamcOfBorg test hydra

[stigtsp]

With one approval, and no breakage afaik, I'm self-merging this patch