On Debian unstable I just got a failure when running the regression
andres@alap4:~/build/postgres/dev-assert/vpath/src/bin/pg_rewind$ make check
rm -rf '/home/andres/build/postgres/dev-assert/vpath'/tmp_install
/bin/mkdir -p '/home/andres/build/postgres/dev-assert/vpath'/tmp_install/log
make -C '../../..' 
DESTDIR='/home/andres/build/postgres/dev-assert/vpath'/tmp_install install 
>'/home/andres/build/postgres/dev-assert/vpath'/tmp_install/log/install.log 2>&1
rm -rf 
cd /home/andres/src/postgresql/src/bin/pg_rewind && 
 prove -I /home/andres/src/postgresql/src/test/perl/ --verbose t/*.pl
t/001_basic.pl ............ 
Can't locate RewindTest.pm in @INC (you may need to install the RewindTest 
module) (@INC contains: /home/andres/src/postgresql/src/test/perl /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 
/usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 
/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at t/001_basic.pl 
line 6.
BEGIN failed--compilation aborted at t/001_basic.pl line 6.
# Looks like your test exited with 2 before it could output anything.
Dubious, test returned 2 (wstat 512, 0x200)

Debian's perl changelog says:
perl (5.22.2-3) unstable; urgency=high

  * [SECURITY] CVE-2016-1238: opportunistic loading of optional
    modules can make many programs unintentionally load code
    from the current working directory (which might be changed to
    another directory without the user realising).
    + allow user configurable removal of "." from @INC in
      /etc/perl/sitecustomize.pl for a transitional period. (See: #588017)
    + backport patches from [perl #127834] to fix known vulnerabilities
      even if the user does not configure "." to be removed from @INC
    + backport patches from [perl #127810] to fix various classes of
      build failures in perl and CPAN modules if "." is removed from

and sitecustomize notes:

# This script is only provided as a transition mechanism for
# removing the current working directory from the library search path
# while leaving a temporary way to override this locally.
# If you really need "." to be on @INC globally, you can comment
# this away for now. However, please note that this facility
# is expected to be removed after the Debian stretch release,
# at which point any code in this file will not have any effect.
# Please see CVE-2016-1238 for background information on the risks
# of having "." on @INC.

pop @INC if $INC[-1] eq '.' and !$ENV{PERL_USE_UNSAFE_INC};

ISTM that the easiest fix is to just tack  -I '$(srcdir)' into the prove
flags like:
PG_PROVE_FLAGS = -I $(top_srcdir)/src/test/perl/ -I '$(srcdir)'
PROVE_FLAGS = --verbose

I don't think there's any security concerns for us here.


Andres Freund

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to