Your message dated Tue, 23 May 2017 15:18:53 +0000
with message-id <[email protected]>
and subject line Bug#862667: fixed in perltidy 20140328-2
has caused the Debian Bug report #862667,
regarding perltidy: CVE-2016-10374
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
862667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862667
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libperl-critic-perl
Version: 1.126-1
Severity: normal
File: /usr/bin/perlcritic
Control: affects -1 check-all-the-things
User: [email protected]
Usertags: file-overwrite
There is some code which causes perlcritic to create or overwrite a
perltidy.ERR file in the current directory. perlcritic and perltidy are
static analysis tools so they should not write to files in the current
directory. I expect the fix for this is to pass a temporary filename to
perltidy or get it to use stdout instead of a file.
pabs@chianamo ~ $ mkdir tmp-pc
pabs@chianamo ~ $ cd tmp-pc
pabs@chianamo ~/tmp-pc $ mkdir tmp
pabs@chianamo ~/tmp-pc $ cat > tmp/foo.pl <<"EOF"
> $foo = 'bar'
> $bar = 'baz';
> EOF
pabs@chianamo ~/tmp-pc $ find
.
./tmp
./tmp/foo.pl
pabs@chianamo ~/tmp-pc $ cat tmp/foo.pl
$foo = 'bar'
$bar = 'baz';
pabs@chianamo ~/tmp-pc $ perlcritic -1 .
perltidy had errors!! at line 1, column 1. See page 33 of PBP. (Severity: 1)
Module does not end with "1;" at line 1, column 1. Must end with a
recognizable true value. (Severity: 4)
Code not contained in explicit package at line 1, column 1. Violates
encapsulation. (Severity: 4)
No package-scoped "$VERSION" variable found at line 1, column 1. See page 404
of PBP. (Severity: 2)
Code before strictures are enabled at line 1, column 1. See page 429 of PBP.
(Severity: 5)
Code before warnings are enabled at line 1, column 1. See page 431 of PBP.
(Severity: 4)
pabs@chianamo ~/tmp-pc $ find
.
./perltidy.ERR
./tmp
./tmp/foo.pl
pabs@chianamo ~/tmp-pc $ cat perltidy.ERR
2: $bar = 'baz';
^
found Scalar where operator expected
Missing ';' above?
pabs@chianamo ~/tmp-pc $ echo foo > perltidy.ERR
pabs@chianamo ~/tmp-pc $ cat perltidy.ERR
foo
pabs@chianamo ~/tmp-pc $ perlcritic -1 .
perltidy had errors!! at line 1, column 1. See page 33 of PBP. (Severity: 1)
Module does not end with "1;" at line 1, column 1. Must end with a
recognizable true value. (Severity: 4)
Code not contained in explicit package at line 1, column 1. Violates
encapsulation. (Severity: 4)
No package-scoped "$VERSION" variable found at line 1, column 1. See page 404
of PBP. (Severity: 2)
Code before strictures are enabled at line 1, column 1. See page 429 of PBP.
(Severity: 5)
Code before warnings are enabled at line 1, column 1. See page 431 of PBP.
(Severity: 4)
pabs@chianamo ~/tmp-pc $ cat perltidy.ERR
2: $bar = 'baz';
^
found Scalar where operator expected
Missing ';' above?
-- System Information:
Debian Release: stretch/sid
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing'), (800,
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700,
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libperl-critic-perl depends on:
ii libb-keywords-perl 1.15-1
ii libconfig-tiny-perl 2.23-1
ii libemail-address-perl 1.908-1
ii libexception-class-perl 1.40-1
ii libfile-homedir-perl 1.00-1
ii libfile-which-perl 1.21-1
ii libio-string-perl 1.08-3
ii liblist-moreutils-perl 0.416-1
ii libmodule-pluggable-perl 5.2-1
ii libpod-spell-perl 1.20-1
ii libppi-perl 1.220-1
ii libppix-regexp-perl 0.050-1
ii libppix-utilities-perl 1.001000-2
ii libreadonly-perl 2.050-1
ii libstring-format-perl 1.17-1
ii libtask-weaken-perl 1.04-1
ii perl 5.22.2-3
ii perltidy 20140328-1
libperl-critic-perl recommends no packages.
libperl-critic-perl suggests no packages.
-- no debconf information
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: perltidy
Source-Version: 20140328-2
We believe that the bug you reported is fixed in the latest version of
perltidy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Don Armstrong <[email protected]> (supplier of updated perltidy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 21 May 2017 12:41:30 -0700
Source: perltidy
Binary: perltidy
Architecture: source all
Version: 20140328-2
Distribution: unstable
Urgency: high
Maintainer: Don Armstrong <[email protected]>
Changed-By: Don Armstrong <[email protected]>
Description:
perltidy - Perl script indenter and reformatter
Closes: 862667
Changes:
perltidy (20140328-2) unstable; urgency=high
.
* Backport fix for CVE-2016-10374 which fixes insecure file deletion of
perltidy.ERR and perltidy.LOG files (closes: #862667)
Checksums-Sha1:
5dfb8bc6323572b1249e84c0e63981b13b37717d 1853 perltidy_20140328-2.dsc
36b12f1ed7b07df76034109e4e662a84ce17cab0 4328 perltidy_20140328-2.debian.tar.xz
a2eab55b8f4a1ca712dd45ab9a128dd86287e105 343816 perltidy_20140328-2_all.deb
ceadd6f41202c878ca95949a08ac7f5dd27795e0 5383
perltidy_20140328-2_amd64.buildinfo
Checksums-Sha256:
c2a89e694d9dcc280ad3f9f5c4869bc6ae3270b0235e9e9cdc480c01cb13b00e 1853
perltidy_20140328-2.dsc
11340d7d6421262087a09f59e812a7d1beed125b1a25da1d39c8d9993384daf7 4328
perltidy_20140328-2.debian.tar.xz
b10d5f9932d062d15f6d7bd4b7496a16e8e21a48b9a45ade2a1d8aab815587eb 343816
perltidy_20140328-2_all.deb
340402cf8487b36a0aa25ed4fdbc288c70ba90aef251e5ffaf9338f4fae56289 5383
perltidy_20140328-2_amd64.buildinfo
Files:
83826e3e83cdaa8d8b01e1f5d511c30b 1853 devel optional perltidy_20140328-2.dsc
a5e48e2f76ffea5b3cc5bef591c56f02 4328 devel optional
perltidy_20140328-2.debian.tar.xz
6c666a08bb5d375392be9b6792fc9369 343816 devel optional
perltidy_20140328-2_all.deb
af38489f6f21e11c171779d455e6aa89 5383 devel optional
perltidy_20140328-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKthluiYED2f5zDZgotEwAdmMD7oFAlkkTFcACgkQotEwAdmM
D7rNwg//aVjq+tQXKW3Ejp64pVummji/wirUUhgSd5cZiHpBD/3tv/j1RqbIfb8/
C5qL67271FKifyS+TTmCdzUP4nZd8S2c/bO1R7Z6LXR2iTO3+md4TjjT4Y8n3+uT
caAMPVHFX7wdw0PXCZiBRbeKNjD217YuU+JoPqzX9lYFZytT9TxkwKh7kHj8igky
lCEPd//U17bUUbo7o/tIEoz8O3oOpqIpkKTyJ2KPnYMEtcrYNHCuUDIrauAKiceT
IpWNCEQZZvpmPWmKT9WjRBHlvkhNXP3jLHBk3RngseXonvbewnQDTa6GRKxgo4mH
PwxepjTX7/gyaImGPspdVk58jwDPGDbZ+5cyXMjnizdHvTCQ1vne6Do1kClj2zHS
FGFCS/kBw5c3D0wvBJ+wl7PTbuI6w+UHpnHtLavov6JoYQ0wqtFx5j1jejvnm8+C
OOQfDO1CD75DY6XQgEg7uxCWChSs5QNSwhef6T2Sz5WqsXePrqKrTu3y+Bif1zve
EddixpVAcip5aFLFKSMkXMmHJcNalD6pu9as/r6eHoeRqRvppdqq7KZPXexkRJlm
3h14DaTG/5c6Bxd5hON8RZDi5VVp90niTFkjw1Nn+mOn5fiI2L+q9NxpCDwaM0ei
Hz/vHFqP8Wf/keRPH/ZwEMFcV3oSLxiyVD+LaEkF8N6H0JnNFtw=
=Trsa
-----END PGP SIGNATURE-----
--- End Message ---
