Bug#833783: marked as done (cdbs: please invoke perl build processes with -I. [CVE-2016-1238])

2016-08-22 Thread Debian Bug Tracking System 
Your message dated Mon, 22 Aug 2016 10:22:48 +
with message-id 
and subject line Bug#833783: fixed in cdbs 0.4.143
has caused the Debian Bug report #833783,
regarding cdbs: please invoke perl build processes with -I. [CVE-2016-1238]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
833783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833783
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cdbs
Version: 0.4.142
Severity: serious
Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html
User: debian-p...@lists.debian.org
Usertags: perl-cwd-inc-removal

As per the referenced thread, we are going to remove '.' from @INC,
the perl module search path, by default, shortly. Please can you apply
something like the attached patches (which were uploaded as a security
update 0.4.130+deb8u1) at your earliest convenience? This will fix
a substantial number of FTBFS bugs resulting from such a change.

The attachments are from my local git repository which I used to 
prepare the jessie-security update, to import into the official repo
should you wish. This should make merging/cherry-picking easier.

Thanks,
Dominic.
>From 494b17cb191b0ba216194b38182f69105811e33b Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Sat, 9 Jul 2016 11:24:41 +0200
Subject: [PATCH 1/2] Invoke Makefile.PL and Build.PL with perl -I. as part of
 the fixes for CVE-2016-1238

---
 1/class/perl-build.mk.in  | 2 +-
 1/class/perl-makemaker-vars.mk.in | 2 +-
 1/class/perlmodule-vars.mk.in | 2 +-
 debian/changelog  | 8 
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/1/class/perl-build.mk.in b/1/class/perl-build.mk.in
index 41615fc..1b459df 100644
--- a/1/class/perl-build.mk.in
+++ b/1/class/perl-build.mk.in
@@ -56,7 +56,7 @@ export AUTOMATED_TESTING = $(DEB_PERL_AUTOMATED_TESTING)
 common-configure-arch common-configure-indep:: $(DEB_PERL_SRCDIR)/Build
 $(DEB_PERL_SRCDIR)/Build:
 	$(cdbs_perl_srcdir_check)
-	cd $(cdbs_perl_curbuilddir) && perl Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS)
+	cd $(cdbs_perl_curbuilddir) && perl -I. Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS)
 
 common-build-arch common-build-indep:: debian/stamp-perl-build
 debian/stamp-perl-build:
diff --git a/1/class/perl-makemaker-vars.mk.in b/1/class/perl-makemaker-vars.mk.in
index 17b2a25..6bc05fb 100644
--- a/1/class/perl-makemaker-vars.mk.in
+++ b/1/class/perl-makemaker-vars.mk.in
@@ -44,7 +44,7 @@ DEB_MAKE_EXTRA_ARGS = \
 		$(cdbs_perl_lddlflags))" \
 	$(DEB_MAKE_PARALLEL)
 
-DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL \
+DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL \
 	$(DEB_MAKEMAKER_NORMAL_ARGS) \
 	$(DEB_MAKEMAKER_USER_FLAGS) \
 	INSTALLDIRS=vendor
diff --git a/1/class/perlmodule-vars.mk.in b/1/class/perlmodule-vars.mk.in
index 9c69e9a..02e01ef 100644
--- a/1/class/perlmodule-vars.mk.in
+++ b/1/class/perlmodule-vars.mk.in
@@ -49,7 +49,7 @@ DEB_MAKE_EXTRA_ARGS = \
 # Unset for standard debhelper rules (use debian/tmp if multiple packages).
 DEB_MAKEMAKER_PACKAGE ?= $(firstword $(if $(_cdbs_rules_debhelper),$(shell dh_listpackages),$(shell $(_cdbs_scripts_path)/list-packages)))
 
-DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor
+DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor
 
 # Set some MakeMaker defaults
 # FIXME: Restructure to allow early override
diff --git a/debian/changelog b/debian/changelog
index 994bee2..bc16d84 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes
+for CVE-2016-1238
+
+ -- Dominic Hargreaves   Sat, 09 Jul 2016 11:24:14 +0200
+
 cdbs (0.4.130) unstable; urgency=medium
 
   * Fix quoting of compiler flags in perlmodule-vars.mk.
-- 
2.1.4

>From 25c61ff13ca959dd53380ad3ea8a01f7e6c49407 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Mon, 25 Jul 2016 09:34:18 +0100
Subject: [PATCH 2/2] releasing package cdbs version 0.4.130+deb8u1

---
 debian/changelog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index bc16d84..5bc4c42 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-cdbs

Bug#833783: marked as done (cdbs: please invoke perl build processes with -I. [CVE-2016-1238])

2016-08-08 Thread Debian Bug Tracking System 
Your message dated Mon, 8 Aug 2016 16:53:26 +0100
with message-id <20160808155326.gh27...@urchin.earth.li>
and subject line duplicate
has caused the Debian Bug report #833783,
regarding cdbs: please invoke perl build processes with -I. [CVE-2016-1238]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
833783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833783
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cdbs
Version: 0.4.142
Severity: serious
Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html
User: debian-p...@lists.debian.org
Usertags: perl-cwd-inc-removal

As per the referenced thread, we are going to remove '.' from @INC,
the perl module search path, by default, shortly. Please can you apply
something like the attached patches (which were uploaded as a security
update 0.4.130+deb8u1) at your earliest convenience? This will fix
a substantial number of FTBFS bugs resulting from such a change.

The attachments are from my local git repository which I used to 
prepare the jessie-security update, to import into the official repo
should you wish. This should make merging/cherry-picking easier.

Thanks,
Dominic.
>From 494b17cb191b0ba216194b38182f69105811e33b Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Sat, 9 Jul 2016 11:24:41 +0200
Subject: [PATCH 1/2] Invoke Makefile.PL and Build.PL with perl -I. as part of
 the fixes for CVE-2016-1238

---
 1/class/perl-build.mk.in  | 2 +-
 1/class/perl-makemaker-vars.mk.in | 2 +-
 1/class/perlmodule-vars.mk.in | 2 +-
 debian/changelog  | 8 
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/1/class/perl-build.mk.in b/1/class/perl-build.mk.in
index 41615fc..1b459df 100644
--- a/1/class/perl-build.mk.in
+++ b/1/class/perl-build.mk.in
@@ -56,7 +56,7 @@ export AUTOMATED_TESTING = $(DEB_PERL_AUTOMATED_TESTING)
 common-configure-arch common-configure-indep:: $(DEB_PERL_SRCDIR)/Build
 $(DEB_PERL_SRCDIR)/Build:
 	$(cdbs_perl_srcdir_check)
-	cd $(cdbs_perl_curbuilddir) && perl Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS)
+	cd $(cdbs_perl_curbuilddir) && perl -I. Build.PL $(DEB_PERL_BUILD_CONFIGURE_TARGET) $(DEB_PERL_CONFIGURE_ARGS) $(DEB_PERL_CONFIGURE_FLAGS)
 
 common-build-arch common-build-indep:: debian/stamp-perl-build
 debian/stamp-perl-build:
diff --git a/1/class/perl-makemaker-vars.mk.in b/1/class/perl-makemaker-vars.mk.in
index 17b2a25..6bc05fb 100644
--- a/1/class/perl-makemaker-vars.mk.in
+++ b/1/class/perl-makemaker-vars.mk.in
@@ -44,7 +44,7 @@ DEB_MAKE_EXTRA_ARGS = \
 		$(cdbs_perl_lddlflags))" \
 	$(DEB_MAKE_PARALLEL)
 
-DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL \
+DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL \
 	$(DEB_MAKEMAKER_NORMAL_ARGS) \
 	$(DEB_MAKEMAKER_USER_FLAGS) \
 	INSTALLDIRS=vendor
diff --git a/1/class/perlmodule-vars.mk.in b/1/class/perlmodule-vars.mk.in
index 9c69e9a..02e01ef 100644
--- a/1/class/perlmodule-vars.mk.in
+++ b/1/class/perlmodule-vars.mk.in
@@ -49,7 +49,7 @@ DEB_MAKE_EXTRA_ARGS = \
 # Unset for standard debhelper rules (use debian/tmp if multiple packages).
 DEB_MAKEMAKER_PACKAGE ?= $(firstword $(if $(_cdbs_rules_debhelper),$(shell dh_listpackages),$(shell $(_cdbs_scripts_path)/list-packages)))
 
-DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor
+DEB_MAKEMAKER_INVOKE ?= /usr/bin/perl -I. Makefile.PL $(DEB_MAKEMAKER_USER_FLAGS) INSTALLDIRS=vendor
 
 # Set some MakeMaker defaults
 # FIXME: Restructure to allow early override
diff --git a/debian/changelog b/debian/changelog
index 994bee2..bc16d84 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+cdbs (0.4.130+deb8u1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes
+for CVE-2016-1238
+
+ -- Dominic Hargreaves   Sat, 09 Jul 2016 11:24:14 +0200
+
 cdbs (0.4.130) unstable; urgency=medium
 
   * Fix quoting of compiler flags in perlmodule-vars.mk.
-- 
2.1.4

>From 25c61ff13ca959dd53380ad3ea8a01f7e6c49407 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Mon, 25 Jul 2016 09:34:18 +0100
Subject: [PATCH 2/2] releasing package cdbs version 0.4.130+deb8u1

---
 debian/changelog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index bc16d84..5bc4c42 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-cdbs (0.4.130+deb8u1)