Package: cdbs Version: 0.4.142 Severity: serious Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html User: [email protected] Usertags: perl-cwd-inc-removal
As per the referenced thread, we are going to remove '.' from @INC, the perl module search path, by default, shortly. Please can you apply something like the attached patches (which were uploaded as a security update 0.4.130+deb8u1) at your earliest convenience? This will fix a substantial number of FTBFS bugs resulting from such a change. The attachments are from my local git repository which I used to prepare the jessie-security update, to import into the official repo should you wish. This should make merging/cherry-picking easier. Thanks, Dominic.
>From 494b17cb191b0ba216194b38182f69105811e33b Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <[email protected]> Date: Sat, 9 Jul 2016 11:24:41 +0200 Subject: [PATCH 1/2] Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for CVE-2016-1238 --- 1/class/perl-build.mk.in | 2 +- 1/class/perl-makemaker-vars.mk.in | 2 +- 1/class/perlmodule-vars.mk.in | 2 +- debian/changelog | 8 ++++++++ 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/1/class/perl-build.mk.in b/1/class/perl-build.mk.in index 41615fc..1b459df 100644 --- a/1/class/perl-build.mk.in +++ b/1/class/perl-build.mk.in @@ -56,7 +56,7 @@ export AUTOMATED_TESTING = $(DEB_PERL_AUTOMATED_TESTING) common-configure-arch common-configure-indep:: $(DEB_PERL_SRCDIR)/Build $(DEB_PERL_SRCDIR)/Build: $(cdbs_perl_srcdir_check) - cd $(cdbs_perl_curbuilddir) && perl Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS) + cd $(cdbs_perl_curbuilddir) && perl -I. Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS) common-build-arch common-build-indep:: debian/stamp-perl-build debian/stamp-perl-build: diff --git a/1/class/perl-makemaker-vars.mk.in b/1/class/perl-makemaker-vars.mk.in index 17b2a25..6bc05fb 100644 --- a/1/class/perl-makemaker-vars.mk.in +++ b/1/class/perl-makemaker-vars.mk.in @@ -44,7 +44,7 @@ DEB_MAKE_EXTRA_ARGS = \ $(cdbs_perl_lddlflags))" \ $(DEB_MAKE_PARALLEL) -DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL \ +DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL \ $(DEB_MAKEMAKER_NORMAL_ARGS) \ $(DEB_MAKEMAKER_USER_FLAGS) \ INSTALLDIRS=vendor diff --git a/1/class/perlmodule-vars.mk.in b/1/class/perlmodule-vars.mk.in index 9c69e9a..02e01ef 100644 --- a/1/class/perlmodule-vars.mk.in +++ b/1/class/perlmodule-vars.mk.in @@ -49,7 +49,7 @@ DEB_MAKE_EXTRA_ARGS = \ # Unset for standard debhelper rules (use debian/tmp if multiple packages). DEB_MAKEMAKER_PACKAGE ?= $(firstword $(if $(_cdbs_rules_debhelper),$(shell dh_listpackages),$(shell $(_cdbs_scripts_path)/list-packages))) -DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor +DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor # Set some MakeMaker defaults # FIXME: Restructure to allow early override diff --git a/debian/changelog b/debian/changelog index 994bee2..bc16d84 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes + for CVE-2016-1238 + + -- Dominic Hargreaves <[email protected]> Sat, 09 Jul 2016 11:24:14 +0200 + cdbs (0.4.130) unstable; urgency=medium * Fix quoting of compiler flags in perlmodule-vars.mk. -- 2.1.4
>From 25c61ff13ca959dd53380ad3ea8a01f7e6c49407 Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <[email protected]> Date: Mon, 25 Jul 2016 09:34:18 +0100 Subject: [PATCH 2/2] releasing package cdbs version 0.4.130+deb8u1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index bc16d84..5bc4c42 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,10 @@ -cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium +cdbs (0.4.130+deb8u1) jessie-security; urgency=high * Non-maintainer upload. * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for CVE-2016-1238 - -- Dominic Hargreaves <[email protected]> Sat, 09 Jul 2016 11:24:14 +0200 + -- Dominic Hargreaves <[email protected]> Mon, 25 Jul 2016 09:34:18 +0100 cdbs (0.4.130) unstable; urgency=medium -- 2.1.4
