Hi,
On Debian unstable I just got a failure when running the regression
tests:
andres@alap4:~/build/postgres/dev-assert/vpath/src/bin/pg_rewind$ make check
rm -rf '/home/andres/build/postgres/dev-assert/vpath'/tmp_install
/bin/mkdir -p '/home/andres/build/postgres/dev-assert/vpath'/tmp_install/log
make -C '../../..'
DESTDIR='/home/andres/build/postgres/dev-assert/vpath'/tmp_install install
>'/home/andres/build/postgres/dev-assert/vpath'/tmp_install/log/install.log 2>&1
rm -rf
/home/andres/build/postgres/dev-assert/vpath/src/bin/pg_rewind/tmp_check/log
cd /home/andres/src/postgresql/src/bin/pg_rewind &&
TESTDIR='/home/andres/build/postgres/dev-assert/vpath/src/bin/pg_rewind'
PATH="/home/andres/build/postgres/dev-assert/vpath/tmp_install/home/andres/build/postgres/dev-assert//install/bin:$PATH"
LD_LIBRARY_PATH="/home/andres/build/postgres/dev-assert/vpath/tmp_install/home/andres/build/postgres/dev-assert//install/lib"
PGPORT='65432'
PG_REGRESS='/home/andres/build/postgres/dev-assert/vpath/src/bin/pg_rewind/../../../src/test/regress/pg_regress'
prove -I /home/andres/src/postgresql/src/test/perl/ --verbose t/*.pl
t/001_basic.pl ............
1..8
Can't locate RewindTest.pm in @INC (you may need to install the RewindTest
module) (@INC contains: /home/andres/src/postgresql/src/test/perl /etc/perl
/usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2
/usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5
/usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22
/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at t/001_basic.pl
line 6.
BEGIN failed--compilation aborted at t/001_basic.pl line 6.
# Looks like your test exited with 2 before it could output anything.
Dubious, test returned 2 (wstat 512, 0x200)
Debian's perl changelog says:
perl (5.22.2-3) unstable; urgency=high
* [SECURITY] CVE-2016-1238: opportunistic loading of optional
modules can make many programs unintentionally load code
from the current working directory (which might be changed to
another directory without the user realising).
+ allow user configurable removal of "." from @INC in
/etc/perl/sitecustomize.pl for a transitional period. (See: #588017)
+ backport patches from [perl #127834] to fix known vulnerabilities
even if the user does not configure "." to be removed from @INC
+ backport patches from [perl #127810] to fix various classes of
build failures in perl and CPAN modules if "." is removed from
@INC
and sitecustomize notes:
# This script is only provided as a transition mechanism for
# removing the current working directory from the library search path
# while leaving a temporary way to override this locally.
#
# If you really need "." to be on @INC globally, you can comment
# this away for now. However, please note that this facility
# is expected to be removed after the Debian stretch release,
# at which point any code in this file will not have any effect.
#
# Please see CVE-2016-1238 for background information on the risks
# of having "." on @INC.
pop @INC if $INC[-1] eq '.' and !$ENV{PERL_USE_UNSAFE_INC};
ISTM that the easiest fix is to just tack -I '$(srcdir)' into the prove
flags like:
PROVE = @PROVE@
PG_PROVE_FLAGS = -I $(top_srcdir)/src/test/perl/ -I '$(srcdir)'
PROVE_FLAGS = --verbose
I don't think there's any security concerns for us here.
Greetings,
Andres Freund
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
