Package: perl
Version: 5.14.2-21+deb7u4
Severity: grave
Justification: renders package unusable
Dear Maintainer,
*** Please consider answering these questions, where appropriate ***
* What led up to the situation?
We updated our systems with the latest security patches (and then spent a day
debugging)
* What exactly did you do (or not do) that was effective (or
ineffective)?
Started up CGI apps
* What was the outcome of this action?
use base died complaining that base package was empty
* What outcome did you expect instead?
Things to work.
Debugging outcome:
The problem was introduced by the fix noted in the title. The problem is that
although
use base has a require in the eval, the failure of that require is always
fatal, so this
is not an optional dependency. Without the security fix everything runs
normally.
But with it, strange, order-dependent side-effects occur.
For example, assuming that '.' needs to be in @INC, without the patch the
following both work:
use base 'MyBaseClass';
and
use MyBaseClass;
use base 'MyBaseClass';
The difference of course is that the latter runs MyBaseClass->import()
With the security fix, the latter still works but the former dies because
MyBaseClass
is empty following the failed effort to require it.
I would be very surprised if this doesn't break a fair number of CGI-based Perl
web
apps bundled with Debian, and it isn't in the scope of the original
vulnerability
report. So the fix should be reversed as applied to this module.
use base is supposed to follow the same rules as use. This is now badly broken
on debian and it needs to be fixed.
*** End of the template - remove these lines ***
-- System Information:
Debian Release: 7.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages perl depends on:
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38+deb7u11
ii libdb5.1 5.1.29-5
ii libgdbm3 1.8.3-11
ii perl-base 5.14.2-21+deb7u4
ii perl-modules 5.14.2-21+deb7u4
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages perl recommends:
ii netbase 5.0
Versions of packages perl suggests:
pn libterm-readline-gnu-perl | libterm-readline-perl-perl <none>
ii make 3.81-8.2
pn perl-doc <none>
-- no debconf information
