Source: libintl-perl
Version: 1.26-1
Severity: important
User: [email protected]
Usertags: perl-cwd-inc-removal
Tags: patch
Thanks for uploading 1.26-1 to remove the dynamic module loading
vulnerability from libint-perl! Unfortunately, the next stage of addressing
this set of vulnerabilities, by removing '.' from @INC by default,
necessitates another patch.
This package FTBFS when '.' is removed from @INC, as seen at [1].
Here is a patch:
diff -urN libintl-perl-1.26.orig/Makefile.PL libintl-perl-1.26/Makefile.PL
--- libintl-perl-1.26.orig/Makefile.PL 2016-05-16 20:31:26.000000000 +0100
+++ libintl-perl-1.26/Makefile.PL 2016-08-23 12:25:52.271805442 +0100
@@ -199,7 +199,7 @@
my $fragment = $self->SUPER::tools_other (@_);
$fragment =~ s/^MOD_INSTALL\s*=\s*(.*?)-MExtUtils::Install
- /MOD_INSTALL =$1-MMyInstall/msx;
+ /MOD_INSTALL =$1-I. -MMyInstall/msx;
return $fragment;
}
This change is being made for security reasons; for more background,
see #588017 and [2].
This bug will become RC when the perl package change removing '.' from
@INC by default is uploaded to unstable, expected in a week or two.
Thanks,
Dominic.
[1]
<http://perl.debian.net/rebuild-logs/experimental/libintl-perl_1.26-1/libintl-perl_1.26-1_amd64-2016-08-23T11%3A14%3A26Z.build>
[2] <https://lists.debian.org/debian-release/2016/07/msg00456.html>
