Package: debhelper Version: 9.20160709 Severity: serious Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html User: debian-p...@lists.debian.org Usertags: perl-cwd-inc-removal
As per the referenced thread, we are going to remove '.' from @INC, the perl module search path, by default, shortly. Please can you apply something like the attached patches (which were uploaded as a security update 9.20150101+deb8u2) at your earliest convenience? This will fix a substantial number of FTBFS bugs resulting from such a change. The attachments are from my local git repository which I used to prepare the jessie-security update, to import into the official repo should you wish. This should make merging/cherry-picking easier. Thanks, Dominic.
>From d4ac7680af8f2d9c265bf96b9cb96942c7fe54a7 Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <d...@earth.li> Date: Thu, 7 Jul 2016 16:54:15 +0200 Subject: [PATCH 1/4] Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for CVE-2016-1238 --- Debian/Debhelper/Buildsystem/perl_build.pm | 2 +- Debian/Debhelper/Buildsystem/perl_makemaker.pm | 2 +- debian/changelog | 8 ++++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Debian/Debhelper/Buildsystem/perl_build.pm b/Debian/Debhelper/Buildsystem/perl_build.pm index 4cfbcb4..6b2ef8b 100644 --- a/Debian/Debhelper/Buildsystem/perl_build.pm +++ b/Debian/Debhelper/Buildsystem/perl_build.pm @@ -48,7 +48,7 @@ sub configure { if ($ENV{LDFLAGS} && ! compat(8)) { push @flags, "--config", "ld=$Config{ld} $ENV{CFLAGS} $ENV{LDFLAGS}"; } - $this->do_perl("Build.PL", "--installdirs", "vendor", @flags, @_); + $this->do_perl("-I.", "Build.PL", "--installdirs", "vendor", @flags, @_); } sub build { diff --git a/Debian/Debhelper/Buildsystem/perl_makemaker.pm b/Debian/Debhelper/Buildsystem/perl_makemaker.pm index 60cda3d..c4f6b42 100644 --- a/Debian/Debhelper/Buildsystem/perl_makemaker.pm +++ b/Debian/Debhelper/Buildsystem/perl_makemaker.pm @@ -54,7 +54,7 @@ sub configure { push @flags, "LD=$Config{ld} $ENV{CFLAGS} $ENV{LDFLAGS}"; } - $this->doit_in_sourcedir("perl", "Makefile.PL", "INSTALLDIRS=vendor", + $this->doit_in_sourcedir("perl", "-I.", "Makefile.PL", "INSTALLDIRS=vendor", # if perl_build is not tested first, need to pass packlist # option to handle fallthrough case (compat(7) ? "create_packlist=0" : ()), diff --git a/debian/changelog b/debian/changelog index a6408c7..d1455c4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for + CVE-2016-1238 + + -- Dominic Hargreaves <d...@earth.li> Thu, 07 Jul 2016 16:53:02 +0200 + debhelper (9.20150101) unstable; urgency=medium [ Niels Thykier ] -- 2.1.4
>From 142436ea9b345e35c70c55cb3163b6dfe4c32385 Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <d...@earth.li> Date: Wed, 20 Jul 2016 00:25:25 +0100 Subject: [PATCH 2/4] Export PERL_USE_UNSAFE_INC to fix a further set of packages which fail to build with . removed from @INC --- Debian/Debhelper/Dh_Lib.pm | 5 +++++ debian/changelog | 2 ++ 2 files changed, 7 insertions(+) diff --git a/Debian/Debhelper/Dh_Lib.pm b/Debian/Debhelper/Dh_Lib.pm index 0519d20..64ea4ac 100644 --- a/Debian/Debhelper/Dh_Lib.pm +++ b/Debian/Debhelper/Dh_Lib.pm @@ -982,6 +982,11 @@ sub set_buildflags { return if $ENV{DH_INTERNAL_BUILDFLAGS} || compat(8); $ENV{DH_INTERNAL_BUILDFLAGS}=1; + # Export PERL_USE_UNSAFE_INC as a transitional step to allow us + # to remove . from @INC by default without breaking packages which + # rely on this [CVE-2016-1238] + $ENV{PERL_USE_UNSAFE_INC}=1; + eval "use Dpkg::BuildFlags"; if ($@) { warning "unable to load build flags: $@"; diff --git a/debian/changelog b/debian/changelog index d1455c4..c5d2a6d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium * Non-maintainer upload. * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for CVE-2016-1238 + * Export PERL_USE_UNSAFE_INC to fix a further set of packages which + fail to build with . removed from @INC -- Dominic Hargreaves <d...@earth.li> Thu, 07 Jul 2016 16:53:02 +0200 -- 2.1.4
>From 4ba75eee566c3a6af6c75c2119d938e3fb7796b9 Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <d...@earth.li> Date: Sun, 24 Jul 2016 19:12:52 +0100 Subject: [PATCH 3/4] releasing package debhelper version 9.20150101+deb8u1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index c5d2a6d..dcaa609 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium +debhelper (9.20150101+deb8u1) jessie-security; urgency=high * Non-maintainer upload. * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for @@ -6,7 +6,7 @@ debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium * Export PERL_USE_UNSAFE_INC to fix a further set of packages which fail to build with . removed from @INC - -- Dominic Hargreaves <d...@earth.li> Thu, 07 Jul 2016 16:53:02 +0200 + -- Dominic Hargreaves <d...@earth.li> Sun, 24 Jul 2016 19:12:37 +0100 debhelper (9.20150101) unstable; urgency=medium -- 2.1.4
>From 4e26f80bed689eea059c64e48b42bfc358119eea Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <d...@earth.li> Date: Sun, 24 Jul 2016 20:16:48 +0100 Subject: [PATCH 4/4] Re-upload to security-master --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index dcaa609..85cb55f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +debhelper (9.20150101+deb8u2) jessie-security; urgency=high + + * Non-maintainer upload. + * Re-upload to security-master + + -- Dominic Hargreaves <d...@earth.li> Sun, 24 Jul 2016 20:13:55 +0100 + debhelper (9.20150101+deb8u1) jessie-security; urgency=high * Non-maintainer upload. -- 2.1.4