Package: perl Version: 5.14.2-21+deb7u4 Severity: grave Justification: renders package unusable
Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? We updated our systems with the latest security patches (and then spent a day debugging) * What exactly did you do (or not do) that was effective (or ineffective)? Started up CGI apps * What was the outcome of this action? use base died complaining that base package was empty * What outcome did you expect instead? Things to work. Debugging outcome: The problem was introduced by the fix noted in the title. The problem is that although use base has a require in the eval, the failure of that require is always fatal, so this is not an optional dependency. Without the security fix everything runs normally. But with it, strange, order-dependent side-effects occur. For example, assuming that '.' needs to be in @INC, without the patch the following both work: use base 'MyBaseClass'; and use MyBaseClass; use base 'MyBaseClass'; The difference of course is that the latter runs MyBaseClass->import() With the security fix, the latter still works but the former dies because MyBaseClass is empty following the failed effort to require it. I would be very surprised if this doesn't break a fair number of CGI-based Perl web apps bundled with Debian, and it isn't in the scope of the original vulnerability report. So the fix should be reversed as applied to this module. use base is supposed to follow the same rules as use. This is now badly broken on debian and it needs to be fixed. *** End of the template - remove these lines *** -- System Information: Debian Release: 7.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages perl depends on: ii libbz2-1.0 1.0.6-4 ii libc6 2.13-38+deb7u11 ii libdb5.1 5.1.29-5 ii libgdbm3 1.8.3-11 ii perl-base 5.14.2-21+deb7u4 ii perl-modules 5.14.2-21+deb7u4 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages perl recommends: ii netbase 5.0 Versions of packages perl suggests: pn libterm-readline-gnu-perl | libterm-readline-perl-perl <none> ii make 3.81-8.2 pn perl-doc <none> -- no debconf information