Bug#833781: marked as done (debhelper: please invoke perl build processes with -I. [CVE-2016-1238])

[Debian Bug Tracking System]

Your message dated Mon, 8 Aug 2016 16:52:52 +0100
with message-id <20160808155252.gg27...@urchin.earth.li>
and subject line duplicate
has caused the Debian Bug report #833781,
regarding debhelper: please invoke perl build processes with -I. [CVE-2016-1238]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
833781: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833781
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: debhelper
Version: 9.20160709
Severity: serious
Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html
User: debian-p...@lists.debian.org
Usertags: perl-cwd-inc-removal

As per the referenced thread, we are going to remove '.' from @INC,
the perl module search path, by default, shortly. Please can you apply
something like the attached patches (which were uploaded as a security
update 9.20150101+deb8u2) at your earliest convenience? This will fix
a substantial number of FTBFS bugs resulting from such a change.

The attachments are from my local git repository which I used to 
prepare the jessie-security update, to import into the official repo
should you wish. This should make merging/cherry-picking easier.

Thanks,
Dominic.

>From d4ac7680af8f2d9c265bf96b9cb96942c7fe54a7 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <d...@earth.li>
Date: Thu, 7 Jul 2016 16:54:15 +0200
Subject: [PATCH 1/4] Invoke Makefile.PL and Build.PL with perl -I. as part of
 the fixes for CVE-2016-1238

---
 Debian/Debhelper/Buildsystem/perl_build.pm     | 2 +-
 Debian/Debhelper/Buildsystem/perl_makemaker.pm | 2 +-
 debian/changelog                               | 8 ++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Debian/Debhelper/Buildsystem/perl_build.pm b/Debian/Debhelper/Buildsystem/perl_build.pm
index 4cfbcb4..6b2ef8b 100644
--- a/Debian/Debhelper/Buildsystem/perl_build.pm
+++ b/Debian/Debhelper/Buildsystem/perl_build.pm
@@ -48,7 +48,7 @@ sub configure {
 	if ($ENV{LDFLAGS} && ! compat(8)) {
 		push @flags, "--config", "ld=$Config{ld} $ENV{CFLAGS} $ENV{LDFLAGS}";
 	}
-	$this->do_perl("Build.PL", "--installdirs", "vendor", @flags, @_);
+	$this->do_perl("-I.", "Build.PL", "--installdirs", "vendor", @flags, @_);
 }
 
 sub build {
diff --git a/Debian/Debhelper/Buildsystem/perl_makemaker.pm b/Debian/Debhelper/Buildsystem/perl_makemaker.pm
index 60cda3d..c4f6b42 100644
--- a/Debian/Debhelper/Buildsystem/perl_makemaker.pm
+++ b/Debian/Debhelper/Buildsystem/perl_makemaker.pm
@@ -54,7 +54,7 @@ sub configure {
 		push @flags, "LD=$Config{ld} $ENV{CFLAGS} $ENV{LDFLAGS}";
 	}
 
-	$this->doit_in_sourcedir("perl", "Makefile.PL", "INSTALLDIRS=vendor",
+	$this->doit_in_sourcedir("perl", "-I.", "Makefile.PL", "INSTALLDIRS=vendor",
 		# if perl_build is not tested first, need to pass packlist
 		# option to handle fallthrough case
 		(compat(7) ? "create_packlist=0" : ()),
diff --git a/debian/changelog b/debian/changelog
index a6408c7..d1455c4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for
+    CVE-2016-1238
+
+ -- Dominic Hargreaves <d...@earth.li>  Thu, 07 Jul 2016 16:53:02 +0200
+
 debhelper (9.20150101) unstable; urgency=medium
 
   [ Niels Thykier ]
-- 
2.1.4


>From 142436ea9b345e35c70c55cb3163b6dfe4c32385 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <d...@earth.li>
Date: Wed, 20 Jul 2016 00:25:25 +0100
Subject: [PATCH 2/4] Export PERL_USE_UNSAFE_INC to fix a further set of
 packages which fail to build with . removed from @INC

---
 Debian/Debhelper/Dh_Lib.pm | 5 +++++
 debian/changelog           | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/Debian/Debhelper/Dh_Lib.pm b/Debian/Debhelper/Dh_Lib.pm
index 0519d20..64ea4ac 100644
--- a/Debian/Debhelper/Dh_Lib.pm
+++ b/Debian/Debhelper/Dh_Lib.pm
@@ -982,6 +982,11 @@ sub set_buildflags {
 	return if $ENV{DH_INTERNAL_BUILDFLAGS} || compat(8);
 	$ENV{DH_INTERNAL_BUILDFLAGS}=1;
 
+	# Export PERL_USE_UNSAFE_INC as a transitional step to allow us
+	# to remove . from @INC by default without breaking packages which
+	# rely on this [CVE-2016-1238]
+	$ENV{PERL_USE_UNSAFE_INC}=1;
+
 	eval "use Dpkg::BuildFlags";
 	if ($@) {
 		warning "unable to load build flags: $@";
diff --git a/debian/changelog b/debian/changelog
index d1455c4..c5d2a6d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
   * Non-maintainer upload.
   * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for
     CVE-2016-1238
+  * Export PERL_USE_UNSAFE_INC to fix a further set of packages which
+    fail to build with . removed from @INC
 
  -- Dominic Hargreaves <d...@earth.li>  Thu, 07 Jul 2016 16:53:02 +0200
 
-- 
2.1.4


>From 4ba75eee566c3a6af6c75c2119d938e3fb7796b9 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <d...@earth.li>
Date: Sun, 24 Jul 2016 19:12:52 +0100
Subject: [PATCH 3/4] releasing package debhelper version 9.20150101+deb8u1

---
 debian/changelog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index c5d2a6d..dcaa609 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
+debhelper (9.20150101+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload.
   * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for
@@ -6,7 +6,7 @@ debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
   * Export PERL_USE_UNSAFE_INC to fix a further set of packages which
     fail to build with . removed from @INC
 
- -- Dominic Hargreaves <d...@earth.li>  Thu, 07 Jul 2016 16:53:02 +0200
+ -- Dominic Hargreaves <d...@earth.li>  Sun, 24 Jul 2016 19:12:37 +0100
 
 debhelper (9.20150101) unstable; urgency=medium
 
-- 
2.1.4


>From 4e26f80bed689eea059c64e48b42bfc358119eea Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <d...@earth.li>
Date: Sun, 24 Jul 2016 20:16:48 +0100
Subject: [PATCH 4/4] Re-upload to security-master

---
 debian/changelog | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index dcaa609..85cb55f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debhelper (9.20150101+deb8u2) jessie-security; urgency=high
+
+  * Non-maintainer upload.
+  * Re-upload to security-master
+
+ -- Dominic Hargreaves <d...@earth.li>  Sun, 24 Jul 2016 20:13:55 +0100
+
 debhelper (9.20150101+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload.
-- 
2.1.4

--- End Message ---

--- Begin Message ---

apologies, I had completely missed that this was already filed and is
pending.

--- End Message ---