Bug#695224: Locale::Maketext versioning in perl package
On Thu, Apr 11, 2013 at 06:30:00PM +0200, Niels Thykier wrote: On 2013-04-10 20:44, Niko Tyni wrote: So, can we consider the patch pre-approved? Yes, please go ahead. 5.14.2-21 uploaded, mostly built, and apparently already unblocked. Thanks! -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695224: Locale::Maketext versioning in perl package
On 2013-04-10 20:44, Niko Tyni wrote: On Sun, Apr 07, 2013 at 02:12:46PM +0200, Niels Thykier wrote: [...] I am tempted to take this fix for Wheezy and be done with it. Can (one of) you please check up on CPAN.pm/CPANPLUS.pm ? Sorry for the delay and thanks for looking at this. I just tested installing Locale-Maketext-Utils-0.36 from CPAN, as it requires Locale::Maketext 1.22 or greater. I saw no problems with either cpan or cpanp: with perl/5.14.2-20 from sid/wheezy a newer Locale-Maketext gets pulled in from CPAN, but with Dominic's patch the system version satisfies the requirement as expected. That's good enough for me. So, can we consider the patch pre-approved? [...] Yes, please go ahead. ~Niels -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695224: Locale::Maketext versioning in perl package
On Sun, Apr 07, 2013 at 02:12:46PM +0200, Niels Thykier wrote: On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote: There is a problem with the perl package, as discussed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55 onwards, whereby the application of the security fix in that ticket now causes double-escaping problems where people workaround the problem by escaping themselves, when they detect an earlier Locale::Maketext by version number. I am slightly wary about importing the new (1.23) version of Locale::Maketext as I mentioned in that bug already, but my fears may be unfounded. Could you comment about whether you would accept such a change in wheezy at this time? (I can't really decide whether it's RC or not). I would suspect that any application code using Module::CoreList would still have to account for the cpan version being present? Yes, I too think that should be expected. I am tempted to take this fix for Wheezy and be done with it. Can (one of) you please check up on CPAN.pm/CPANPLUS.pm ? Sorry for the delay and thanks for looking at this. I just tested installing Locale-Maketext-Utils-0.36 from CPAN, as it requires Locale::Maketext 1.22 or greater. I saw no problems with either cpan or cpanp: with perl/5.14.2-20 from sid/wheezy a newer Locale-Maketext gets pulled in from CPAN, but with Dominic's patch the system version satisfies the requirement as expected. That's good enough for me. So, can we consider the patch pre-approved? I see Fedora/RedHat also upgraded their Locale::Maketext modules without incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and Fedora Core 16 17 / Perl 5.14.3). So it looks like even if we do try to fix this for wheezy, applications still have to check for features rather than versions to stay on the safe side. Okay, sounds like it will be fine with leaving Squeeze as is then. Ack on my part. Thanks again, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695224: Locale::Maketext versioning in perl package
On 2013-04-02 21:15, Niko Tyni wrote: On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote: There is a problem with the perl package, as discussed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55 onwards, whereby the application of the security fix in that ticket now causes double-escaping problems where people workaround the problem by escaping themselves, when they detect an earlier Locale::Maketext by version number. I am slightly wary about importing the new (1.23) version of Locale::Maketext as I mentioned in that bug already, but my fears may be unfounded. Could you comment about whether you would accept such a change in wheezy at this time? (I can't really decide whether it's RC or not). FWIW, it looks clear to me that the only functional changes in the patch are the $VERSION increments in the .pm files. The rest is documentation and test cases, and the only important $VERSION is most probably the main one in Locale/Maketext.pm. Indeed. While that change itself is trivial, it has action-at-distance effects - otherwise this wouldn't be an issue at all. I think the risk potential is mostly in breaking something that's trusting Module::CoreList (dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might be affected somehow too?), and that it's not a very big risk but still a real one. Lintian uses a precomputed static list. It would at worst lead to false-negatives for package-superseded-by-perl (i.e. no tag when one should have been there). I suspect dh-make-perl will have a similar case with using the cpan variant instead of the core variant in dependencies (though I only gave it a quick scan). I would suspect that any application code using Module::CoreList would still have to account for the cpan version being present? [...] In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy would probably have been the right thing to do if we had anticipated these issues. But we didn't, and it seems very late in the release process to do it now. Also, I can't really see us applying anything but the targeted fix for squeeze. I am tempted to take this fix for Wheezy and be done with it. Can (one of) you please check up on CPAN.pm/CPANPLUS.pm ? I see Fedora/RedHat also upgraded their Locale::Maketext modules without incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and Fedora Core 16 17 / Perl 5.14.3). So it looks like even if we do try to fix this for wheezy, applications still have to check for features rather than versions to stay on the safe side. Okay, sounds like it will be fine with leaving Squeeze as is then. ~Niels -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695224: Locale::Maketext versioning in perl package
On Sun, 31 Mar 2013 17:46:12 +0100, Dominic Hargreaves wrote: I've attached a diff which implements the change in question. I haven't carried out extensive testing yet, but the package builds fine. The same change is in the dom/locale-maketext-version branch of the git repository at http://anonscm.debian.org/gitweb/?p=perl/perl.git. /* Disclaimers: My ony affialiation with the release team is that I'm a happy customer, and I also don't know locale-maketext specifically. */ I looked at this patch twice now, and I don't see a single change to actual code; just $VERSION/hashes, a bit of POD, and some test changes. Provided that the tests still work the changes seem very low risk. (Like Dominic I'm unsure if this should count as RC or wheezy-worth otherwise, just wanted to give the patch another pair of eyes.) Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of the Free Software Foundation Europe `- NP: Misha Alperin: Ironical Evening signature.asc Description: Digital signature
Bug#695224: Locale::Maketext versioning in perl package
On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote: There is a problem with the perl package, as discussed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55 onwards, whereby the application of the security fix in that ticket now causes double-escaping problems where people workaround the problem by escaping themselves, when they detect an earlier Locale::Maketext by version number. I am slightly wary about importing the new (1.23) version of Locale::Maketext as I mentioned in that bug already, but my fears may be unfounded. Could you comment about whether you would accept such a change in wheezy at this time? (I can't really decide whether it's RC or not). FWIW, it looks clear to me that the only functional changes in the patch are the $VERSION increments in the .pm files. The rest is documentation and test cases, and the only important $VERSION is most probably the main one in Locale/Maketext.pm. While that change itself is trivial, it has action-at-distance effects - otherwise this wouldn't be an issue at all. I think the risk potential is mostly in breaking something that's trusting Module::CoreList (dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might be affected somehow too?), and that it's not a very big risk but still a real one. Thinking about the necessity of this: Paul is IMO right that security fixes and other backported stuff usually don't change functionality API-wise, and I'm generally sympathetic to the idea of incrementing $VERSION when they do. Unfortunately that's hard to do in the general case (as the versioning scheme doesn't really support downstream branching.) In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy would probably have been the right thing to do if we had anticipated these issues. But we didn't, and it seems very late in the release process to do it now. Also, I can't really see us applying anything but the targeted fix for squeeze. I see Fedora/RedHat also upgraded their Locale::Maketext modules without incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and Fedora Core 16 17 / Perl 5.14.3). So it looks like even if we do try to fix this for wheezy, applications still have to check for features rather than versions to stay on the safe side. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695224: Locale::Maketext versioning in perl package
Dear release team, There is a problem with the perl package, as discussed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55 onwards, whereby the application of the security fix in that ticket now causes double-escaping problems where people workaround the problem by escaping themselves, when they detect an earlier Locale::Maketext by version number. I am slightly wary about importing the new (1.23) version of Locale::Maketext as I mentioned in that bug already, but my fears may be unfounded. Could you comment about whether you would accept such a change in wheezy at this time? (I can't really decide whether it's RC or not). I've attached a diff which implements the change in question. I haven't carried out extensive testing yet, but the package builds fine. The same change is in the dom/locale-maketext-version branch of the git repository at http://anonscm.debian.org/gitweb/?p=perl/perl.git. Note that if you approve this, I would still want to get feedback from Niko, co-maintainer of the perl pacakge, before an upload. This also affects stable, and so I've also CCed the security team (the problem was introduced in a DSA). Thanks as always for your excellent work (especially during the freeze) and apologies for bringing such a thorny issue to you this close to release. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) diff --git a/debian/.git-dpm b/debian/.git-dpm index 2a4791b..c8c980a 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -89405c8ebc5bf8ae4ed6479de2bc0f311c1f6fe1 -89405c8ebc5bf8ae4ed6479de2bc0f311c1f6fe1 +93f6c83c7454de33df00a0e3fde3a890d6c87e91 +93f6c83c7454de33df00a0e3fde3a890d6c87e91 5f99bf7a09dd2ae3c22081331f4973210a543731 5f99bf7a09dd2ae3c22081331f4973210a543731 perl_5.14.2.orig.tar.bz2 diff --git a/debian/changelog b/debian/changelog index dd05cd9..e306117 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +perl (5.14.2-21) UNRELEASED; urgency=low + + * Update the Locale::Maketext fix by importing 1.23, to avoid +double-escaping problems (see: #695224) + + -- Dominic Hargreaves d...@earth.li Sun, 31 Mar 2013 13:58:59 +0100 + perl (5.14.2-20) unstable; urgency=low * Fix an Encode memory leak that occurred in the UTF-8 encoding. diff --git a/debian/patches/fixes/64bitint-signedness-wraparound.diff b/debian/patches/fixes/64bitint-signedness-wraparound.diff index cae0b3d..edeaf9e 100644 --- a/debian/patches/fixes/64bitint-signedness-wraparound.diff +++ b/debian/patches/fixes/64bitint-signedness-wraparound.diff @@ -1,4 +1,4 @@ -From e36d65ba661bd0f9c9ae741c8f18d2e08682e97a Mon Sep 17 00:00:00 2001 +From 3e75c3189622c59ded9070bf678ef42f8185961a Mon Sep 17 00:00:00 2001 From: Andy Dougherty dough...@lafayette.edu Date: Wed, 16 Jan 2013 12:30:43 -0500 Subject: Avoid wraparound when casting unsigned size_t to signed ssize_t. diff --git a/debian/patches/fixes/digest-sha-doublefree.diff b/debian/patches/fixes/digest-sha-doublefree.diff index c49a84a..b9a1e12 100644 --- a/debian/patches/fixes/digest-sha-doublefree.diff +++ b/debian/patches/fixes/digest-sha-doublefree.diff @@ -1,4 +1,4 @@ -From d2d9e1560afaeb402dda69eba1d6e808d80c0c96 Mon Sep 17 00:00:00 2001 +From 0c6c3e57ab9ee86fbce162071dce1c2748a494b5 Mon Sep 17 00:00:00 2001 From: Niko Tyni nt...@debian.org Date: Fri, 25 Jan 2013 15:00:00 +0200 Subject: Fix a double-free bug in Digest::SHA diff --git a/debian/patches/fixes/encode-memleak.diff b/debian/patches/fixes/encode-memleak.diff index b30e6d0..baed27f 100644 --- a/debian/patches/fixes/encode-memleak.diff +++ b/debian/patches/fixes/encode-memleak.diff @@ -1,4 +1,4 @@ -From 89405c8ebc5bf8ae4ed6479de2bc0f311c1f6fe1 Mon Sep 17 00:00:00 2001 +From 93f6c83c7454de33df00a0e3fde3a890d6c87e91 Mon Sep 17 00:00:00 2001 From: chansen chan...@cpan.org Date: Sun, 3 Mar 2013 22:43:53 +0100 Subject: Encode: Fixed a memory leak that occurred in the UTF-8 encoding. diff --git a/debian/patches/fixes/hsplit-rehash.diff b/debian/patches/fixes/hsplit-rehash.diff index c2fd7e2..ba235f7 100644 --- a/debian/patches/fixes/hsplit-rehash.diff +++ b/debian/patches/fixes/hsplit-rehash.diff @@ -1,4 +1,4 @@ -From 5d86bf622ad5ac2cc69da54d76000a4618518410 Mon Sep 17 00:00:00 2001 +From ac695b3c3106de8292c4200c84ab4c57b6998b73 Mon Sep 17 00:00:00 2001 From: Yves Orton demer...@gmail.com Date: Tue, 12 Feb 2013 10:53:05 +0100 Subject: Prevent premature hsplit() calls, and only trigger REHASH after diff --git a/debian/patches/fixes/maketext-code-execution.diff b/debian/patches/fixes/maketext-code-execution.diff index 117ef2d..b781de9 100644 --- a/debian/patches/fixes/maketext-code-execution.diff +++ b/debian/patches/fixes/maketext-code-execution.diff @@ -1,4 +1,4 @@ -From 9da6928f4cbc7cfa3c2c474b00042a51083e12af Mon Sep 17 00:00:00 2001 +From 97aa10fd1926ed8299448eb69f70c01546918d15 Mon Sep 17 00:00:00 2001 From: Brian Carlson
