Bug#833783: marked as done (cdbs: please invoke perl build processes with -I. [CVE-2016-1238])

[Debian Bug Tracking System]

Your message dated Mon, 22 Aug 2016 10:22:48 +0000
with message-id <e1bbmnu-0001bk...@franck.debian.org>
and subject line Bug#833783: fixed in cdbs 0.4.143
has caused the Debian Bug report #833783,
regarding cdbs: please invoke perl build processes with -I. [CVE-2016-1238]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
833783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833783
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cdbs
Version: 0.4.142
Severity: serious
Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html
User: debian-p...@lists.debian.org
Usertags: perl-cwd-inc-removal

As per the referenced thread, we are going to remove '.' from @INC,
the perl module search path, by default, shortly. Please can you apply
something like the attached patches (which were uploaded as a security
update 0.4.130+deb8u1) at your earliest convenience? This will fix
a substantial number of FTBFS bugs resulting from such a change.

The attachments are from my local git repository which I used to 
prepare the jessie-security update, to import into the official repo
should you wish. This should make merging/cherry-picking easier.

Thanks,
Dominic.

>From 494b17cb191b0ba216194b38182f69105811e33b Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <d...@earth.li>
Date: Sat, 9 Jul 2016 11:24:41 +0200
Subject: [PATCH 1/2] Invoke Makefile.PL and Build.PL with perl -I. as part of
 the fixes for CVE-2016-1238

---
 1/class/perl-build.mk.in          | 2 +-
 1/class/perl-makemaker-vars.mk.in | 2 +-
 1/class/perlmodule-vars.mk.in     | 2 +-
 debian/changelog                  | 8 ++++++++
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/1/class/perl-build.mk.in b/1/class/perl-build.mk.in
index 41615fc..1b459df 100644
--- a/1/class/perl-build.mk.in
+++ b/1/class/perl-build.mk.in
@@ -56,7 +56,7 @@ export AUTOMATED_TESTING = $(DEB_PERL_AUTOMATED_TESTING)
 common-configure-arch common-configure-indep:: $(DEB_PERL_SRCDIR)/Build
 $(DEB_PERL_SRCDIR)/Build:
 	$(cdbs_perl_srcdir_check)
-	cd $(cdbs_perl_curbuilddir) && perl Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS)
+	cd $(cdbs_perl_curbuilddir) && perl -I. Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS)
 
 common-build-arch common-build-indep:: debian/stamp-perl-build
 debian/stamp-perl-build:
diff --git a/1/class/perl-makemaker-vars.mk.in b/1/class/perl-makemaker-vars.mk.in
index 17b2a25..6bc05fb 100644
--- a/1/class/perl-makemaker-vars.mk.in
+++ b/1/class/perl-makemaker-vars.mk.in
@@ -44,7 +44,7 @@ DEB_MAKE_EXTRA_ARGS = \
 		$(cdbs_perl_lddlflags))" \
 	$(DEB_MAKE_PARALLEL)
 
-DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL \
+DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL \
 	$(DEB_MAKEMAKER_NORMAL_ARGS) \
 	$(DEB_MAKEMAKER_USER_FLAGS) \
 	INSTALLDIRS=vendor
diff --git a/1/class/perlmodule-vars.mk.in b/1/class/perlmodule-vars.mk.in
index 9c69e9a..02e01ef 100644
--- a/1/class/perlmodule-vars.mk.in
+++ b/1/class/perlmodule-vars.mk.in
@@ -49,7 +49,7 @@ DEB_MAKE_EXTRA_ARGS = \
 # Unset for standard debhelper rules (use debian/tmp if multiple packages).
 DEB_MAKEMAKER_PACKAGE ?= $(firstword $(if $(_cdbs_rules_debhelper),$(shell dh_listpackages),$(shell $(_cdbs_scripts_path)/list-packages)))
 
-DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor
+DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor
 
 # Set some MakeMaker defaults
 # FIXME: Restructure to allow early override
diff --git a/debian/changelog b/debian/changelog
index 994bee2..bc16d84 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes
+    for CVE-2016-1238
+
+ -- Dominic Hargreaves <d...@earth.li>  Sat, 09 Jul 2016 11:24:14 +0200
+
 cdbs (0.4.130) unstable; urgency=medium
 
   * Fix quoting of compiler flags in perlmodule-vars.mk.
-- 
2.1.4


>From 25c61ff13ca959dd53380ad3ea8a01f7e6c49407 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <d...@earth.li>
Date: Mon, 25 Jul 2016 09:34:18 +0100
Subject: [PATCH 2/2] releasing package cdbs version 0.4.130+deb8u1

---
 debian/changelog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index bc16d84..5bc4c42 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium
+cdbs (0.4.130+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload.
   * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes
     for CVE-2016-1238
 
- -- Dominic Hargreaves <d...@earth.li>  Sat, 09 Jul 2016 11:24:14 +0200
+ -- Dominic Hargreaves <d...@earth.li>  Mon, 25 Jul 2016 09:34:18 +0100
 
 cdbs (0.4.130) unstable; urgency=medium
 
-- 
2.1.4

--- End Message ---

--- Begin Message ---

Source: cdbs
Source-Version: 0.4.143

We believe that the bug you reported is fixed in the latest version of
cdbs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 833...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated cdbs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 22 Aug 2016 11:37:48 +0200
Source: cdbs
Binary: cdbs
Architecture: source all
Version: 0.4.143
Distribution: unstable
Urgency: medium
Maintainer: CDBS Hackers <build-common-hack...@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Description:
 cdbs       - common build system for Debian packages
Closes: 831263 833783 835077
Changes:
 cdbs (0.4.143) unstable; urgency=medium
 .
   * Have utils.mk resolve build-dependency on licensecheck (not
     devscripts).
   * Fix have license-miner emit UTF-8.
   * Improve copyright-check:
     + Scan whole files (not only top and bottom, and not only until
       first cluster of copyrights).
     + Revert to not force-decode as utf8.
     + Fix re-add comma between year range and owners (dropped in recent
       licensecheck) for some corner cases.
     + Use licensecheck --deb-fmt (and adapt cleanup).
     + Fix skip gracefully if licensecheck unavailable or too old.
       Closes: Bug#831263. Thanks to Lucas Nussbaum.
     + Make path to licensecheck configurable.
   * Fix have perl snippets include current dir during configure call.
     Closes: Bug#833783 (CVE-2016-1238). Thanks to Dominic Hargreaves.
   * Suppress build-dependency on licensecheck to ease backporting and
     arch bootstrapping.
   * Stop build-depend on devscripts.
   * Modernize debhelper usage: Avoid deprecated --same-arch option.
     Closes: Bug#835077. Thanks to Rafael Laboissière.
Checksums-Sha1:
 3971d9c76371ad1506c6d9c27698c0aba51d95fd 1825 cdbs_0.4.143.dsc
 be4f4fca23fc4e97dd55977079e8882cd9e4263c 202852 cdbs_0.4.143.tar.xz
 fe64bde24baa50831f4db86d60e91084662f510f 80856 cdbs_0.4.143_all.deb
Checksums-Sha256:
 73e037d109d404209572d982f790c2cf215a00a330b3e6061f9da68866b0f4a0 1825 
cdbs_0.4.143.dsc
 17be504bdfecfc4ef769b7b82b8f3bdc297a29b2f0a85bcb161007026c82eb29 202852 
cdbs_0.4.143.tar.xz
 99c4991b81fe3208a16684a9d1bbeaaa76e3a7e476926044bedbe2b867efeaaa 80856 
cdbs_0.4.143_all.deb
Files:
 cc3abdd15689eb740e1a2f00ecccd330 1825 devel optional cdbs_0.4.143.dsc
 47347a9e5af28ec1c9f699d4bd43ab0d 202852 devel optional cdbs_0.4.143.tar.xz
 6dbbbc2f00c005d65b86d9def8cc8f33 80856 devel optional cdbs_0.4.143_all.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXus4fAAoJECx8MUbBoAEhrdgP/RvWIumzEOzL5STMBQefEYxA
fEzj/Sca14ujHhtVQPOohL0khixYwn2XfXyBMTzYTTsnSLOuGNPExhJ1iaUFM/1k
jvMWV5H3RuSGcfFA7Rojrknlv5pDt8d1ulU0nJaoyzp7/7BAd+7cxejhtcsBeSUO
+VlFKP/yHjm0eZUtHzQPgA8vA7FFsCDFnIF23DQBSIcNQh9eRPdZgPsTswkOdOWU
HnvRHSFRPMj3HRBU8W9x4vT1O/PLZk+7MfCpumeyr+YavdxnVLFabi9e4/JlDSR+
oXfKRTaqRovwrSxnJNZVg974XU60g8Rcx6aLrO+b/W8wTWGaMSFI/TyqGGcwzxww
w46UC9YxQyNnOrvEAj4rsXUzBZ4aBIs5btTEuAWD5b8C1ekqWQEPzDe3Or4nEX2o
wM8Dq/q+K9O6k3bXc1oT3ZonsBHqi9k+eMYMJIhk37Z+GAjpU46C+Nd2vDNTSOKs
BtBnBI0aD76BtFyTe5MEGWQaIy/eTwfDFw8iYaQwlSBmW+i86Z6+yzoekDJ/FfPO
72a3xG3SALcU54Oy22SIrnOqxotJ0RyUSDI+6mH+4A9qa5QuSu0DD8CKd3qGDcR7
8F2Zz3oRzE0yChvSuFBE2a8MPK7LXc+fXIMhrjtCG4Ck9QhWZYAmbmJ5mmawHpvn
89An/mZnrY+a2xJqbRnD
=3IxS
-----END PGP SIGNATURE-----

--- End Message ---