untrusted comment: signature from openbsd 6.3 base secret key
RWRxzbLwAd76ZTRnLbSY/OdR4a9pOuoRBQY5Q9wSFSWQbZFIFzalnfjmTgh97nhTjTKGAQrpducHK599pXdeN/LeHH9Sg8ALUAc=

OpenBSD 6.3 errata 011, June 20, 2018:

Perl's Archive::Tar module could be made to write files outside of
its working directory.

Apply by doing:
    signify -Vep /etc/signify/openbsd-63-base.pub -x 011_perl.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then install the patched module:
    cd /usr/src/gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive
    install -o root -g bin -m 444 Tar.pm /usr/libdata/perl5/Archive/Tar.pm

Index: gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm
===================================================================
RCS file: /cvs/src/gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm,v
retrieving revision 1.3
diff -u -p -r1.3 Tar.pm
--- gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm	5 Feb 2017 00:31:54 -0000	1.3
+++ gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm	14 Jun 2018 01:36:30 -0000
@@ -845,6 +845,20 @@ sub _extract_file {
         return;
     }
 
+    ### If a file system already contains a block device with the same name as
+    ### the being extracted regular file, we would write the file's content
+    ### to the block device. So remove the existing file (block device) now.
+    ### If an archive contains multiple same-named entries, the last one
+    ### should replace the previous ones. So remove the old file now.
+    ### If the old entry is a symlink to a file outside of the CWD, the new
+    ### entry would create a file there. This is CVE-2018-12015
+    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
+    if (-l $full || -e _) {
+	if (!unlink $full) {
+	    $self->_error( qq[Could not remove old file '$full': $!] );
+	    return;
+	}
+    }
     if( length $entry->type && $entry->is_file ) {
         my $fh = IO::File->new;
         $fh->open( '>' . $full ) or (