Bug#833783: marked as done (cdbs: please invoke perl build processes with -I. [CVE-2016-1238])
Your message dated Mon, 22 Aug 2016 10:22:48 + with message-idand subject line Bug#833783: fixed in cdbs 0.4.143 has caused the Debian Bug report #833783, regarding cdbs: please invoke perl build processes with -I. [CVE-2016-1238] to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 833783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833783 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cdbs Version: 0.4.142 Severity: serious Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html User: debian-p...@lists.debian.org Usertags: perl-cwd-inc-removal As per the referenced thread, we are going to remove '.' from @INC, the perl module search path, by default, shortly. Please can you apply something like the attached patches (which were uploaded as a security update 0.4.130+deb8u1) at your earliest convenience? This will fix a substantial number of FTBFS bugs resulting from such a change. The attachments are from my local git repository which I used to prepare the jessie-security update, to import into the official repo should you wish. This should make merging/cherry-picking easier. Thanks, Dominic. >From 494b17cb191b0ba216194b38182f69105811e33b Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves Date: Sat, 9 Jul 2016 11:24:41 +0200 Subject: [PATCH 1/2] Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for CVE-2016-1238 --- 1/class/perl-build.mk.in | 2 +- 1/class/perl-makemaker-vars.mk.in | 2 +- 1/class/perlmodule-vars.mk.in | 2 +- debian/changelog | 8 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/1/class/perl-build.mk.in b/1/class/perl-build.mk.in index 41615fc..1b459df 100644 --- a/1/class/perl-build.mk.in +++ b/1/class/perl-build.mk.in @@ -56,7 +56,7 @@ export AUTOMATED_TESTING = $(DEB_PERL_AUTOMATED_TESTING) common-configure-arch common-configure-indep:: $(DEB_PERL_SRCDIR)/Build $(DEB_PERL_SRCDIR)/Build: $(cdbs_perl_srcdir_check) - cd $(cdbs_perl_curbuilddir) && perl Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS) + cd $(cdbs_perl_curbuilddir) && perl -I. Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS) common-build-arch common-build-indep:: debian/stamp-perl-build debian/stamp-perl-build: diff --git a/1/class/perl-makemaker-vars.mk.in b/1/class/perl-makemaker-vars.mk.in index 17b2a25..6bc05fb 100644 --- a/1/class/perl-makemaker-vars.mk.in +++ b/1/class/perl-makemaker-vars.mk.in @@ -44,7 +44,7 @@ DEB_MAKE_EXTRA_ARGS = \ $(cdbs_perl_lddlflags))" \ $(DEB_MAKE_PARALLEL) -DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL \ +DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL \ $(DEB_MAKEMAKER_NORMAL_ARGS) \ $(DEB_MAKEMAKER_USER_FLAGS) \ INSTALLDIRS=vendor diff --git a/1/class/perlmodule-vars.mk.in b/1/class/perlmodule-vars.mk.in index 9c69e9a..02e01ef 100644 --- a/1/class/perlmodule-vars.mk.in +++ b/1/class/perlmodule-vars.mk.in @@ -49,7 +49,7 @@ DEB_MAKE_EXTRA_ARGS = \ # Unset for standard debhelper rules (use debian/tmp if multiple packages). DEB_MAKEMAKER_PACKAGE ?= $(firstword $(if $(_cdbs_rules_debhelper),$(shell dh_listpackages),$(shell $(_cdbs_scripts_path)/list-packages))) -DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor +DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor # Set some MakeMaker defaults # FIXME: Restructure to allow early override diff --git a/debian/changelog b/debian/changelog index 994bee2..bc16d84 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes +for CVE-2016-1238 + + -- Dominic Hargreaves Sat, 09 Jul 2016 11:24:14 +0200 + cdbs (0.4.130) unstable; urgency=medium * Fix quoting of compiler flags in perlmodule-vars.mk. -- 2.1.4 >From 25c61ff13ca959dd53380ad3ea8a01f7e6c49407 Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves Date: Mon, 25 Jul 2016 09:34:18 +0100 Subject: [PATCH 2/2] releasing package cdbs version 0.4.130+deb8u1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index bc16d84..5bc4c42 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,10 @@ -cdbs
Bug#833783: marked as done (cdbs: please invoke perl build processes with -I. [CVE-2016-1238])
Your message dated Mon, 8 Aug 2016 16:53:26 +0100 with message-id <20160808155326.gh27...@urchin.earth.li> and subject line duplicate has caused the Debian Bug report #833783, regarding cdbs: please invoke perl build processes with -I. [CVE-2016-1238] to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 833783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833783 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cdbs Version: 0.4.142 Severity: serious Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html User: debian-p...@lists.debian.org Usertags: perl-cwd-inc-removal As per the referenced thread, we are going to remove '.' from @INC, the perl module search path, by default, shortly. Please can you apply something like the attached patches (which were uploaded as a security update 0.4.130+deb8u1) at your earliest convenience? This will fix a substantial number of FTBFS bugs resulting from such a change. The attachments are from my local git repository which I used to prepare the jessie-security update, to import into the official repo should you wish. This should make merging/cherry-picking easier. Thanks, Dominic. >From 494b17cb191b0ba216194b38182f69105811e33b Mon Sep 17 00:00:00 2001 From: Dominic HargreavesDate: Sat, 9 Jul 2016 11:24:41 +0200 Subject: [PATCH 1/2] Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for CVE-2016-1238 --- 1/class/perl-build.mk.in | 2 +- 1/class/perl-makemaker-vars.mk.in | 2 +- 1/class/perlmodule-vars.mk.in | 2 +- debian/changelog | 8 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/1/class/perl-build.mk.in b/1/class/perl-build.mk.in index 41615fc..1b459df 100644 --- a/1/class/perl-build.mk.in +++ b/1/class/perl-build.mk.in @@ -56,7 +56,7 @@ export AUTOMATED_TESTING = $(DEB_PERL_AUTOMATED_TESTING) common-configure-arch common-configure-indep:: $(DEB_PERL_SRCDIR)/Build $(DEB_PERL_SRCDIR)/Build: $(cdbs_perl_srcdir_check) - cd $(cdbs_perl_curbuilddir) && perl Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS) + cd $(cdbs_perl_curbuilddir) && perl -I. Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS) common-build-arch common-build-indep:: debian/stamp-perl-build debian/stamp-perl-build: diff --git a/1/class/perl-makemaker-vars.mk.in b/1/class/perl-makemaker-vars.mk.in index 17b2a25..6bc05fb 100644 --- a/1/class/perl-makemaker-vars.mk.in +++ b/1/class/perl-makemaker-vars.mk.in @@ -44,7 +44,7 @@ DEB_MAKE_EXTRA_ARGS = \ $(cdbs_perl_lddlflags))" \ $(DEB_MAKE_PARALLEL) -DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL \ +DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL \ $(DEB_MAKEMAKER_NORMAL_ARGS) \ $(DEB_MAKEMAKER_USER_FLAGS) \ INSTALLDIRS=vendor diff --git a/1/class/perlmodule-vars.mk.in b/1/class/perlmodule-vars.mk.in index 9c69e9a..02e01ef 100644 --- a/1/class/perlmodule-vars.mk.in +++ b/1/class/perlmodule-vars.mk.in @@ -49,7 +49,7 @@ DEB_MAKE_EXTRA_ARGS = \ # Unset for standard debhelper rules (use debian/tmp if multiple packages). DEB_MAKEMAKER_PACKAGE ?= $(firstword $(if $(_cdbs_rules_debhelper),$(shell dh_listpackages),$(shell $(_cdbs_scripts_path)/list-packages))) -DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor +DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor # Set some MakeMaker defaults # FIXME: Restructure to allow early override diff --git a/debian/changelog b/debian/changelog index 994bee2..bc16d84 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes +for CVE-2016-1238 + + -- Dominic Hargreaves Sat, 09 Jul 2016 11:24:14 +0200 + cdbs (0.4.130) unstable; urgency=medium * Fix quoting of compiler flags in perlmodule-vars.mk. -- 2.1.4 >From 25c61ff13ca959dd53380ad3ea8a01f7e6c49407 Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves Date: Mon, 25 Jul 2016 09:34:18 +0100 Subject: [PATCH 2/2] releasing package cdbs version 0.4.130+deb8u1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index bc16d84..5bc4c42 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,10 @@ -cdbs (0.4.130+deb8u1)