Bug#833781: debhelper: please invoke perl build processes with -I. [CVE-2016-1238]
Package: debhelper
Version: 9.20160709
Severity: serious
Justification: https://lists.debian.org/debian-release/2016/07/msg00476.html
User: debian-perl@lists.debian.org
Usertags: perl-cwd-inc-removal
As per the referenced thread, we are going to remove '.' from @INC,
the perl module search path, by default, shortly. Please can you apply
something like the attached patches (which were uploaded as a security
update 9.20150101+deb8u2) at your earliest convenience? This will fix
a substantial number of FTBFS bugs resulting from such a change.
The attachments are from my local git repository which I used to
prepare the jessie-security update, to import into the official repo
should you wish. This should make merging/cherry-picking easier.
Thanks,
Dominic.
>From d4ac7680af8f2d9c265bf96b9cb96942c7fe54a7 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <dom@earth.li>
Date: Thu, 7 Jul 2016 16:54:15 +0200
Subject: [PATCH 1/4] Invoke Makefile.PL and Build.PL with perl -I. as part of
the fixes for CVE-2016-1238
---
Debian/Debhelper/Buildsystem/perl_build.pm | 2 +-
Debian/Debhelper/Buildsystem/perl_makemaker.pm | 2 +-
debian/changelog | 8 ++++++++
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/Debian/Debhelper/Buildsystem/perl_build.pm b/Debian/Debhelper/Buildsystem/perl_build.pm
index 4cfbcb4..6b2ef8b 100644
--- a/Debian/Debhelper/Buildsystem/perl_build.pm
+++ b/Debian/Debhelper/Buildsystem/perl_build.pm
@@ -48,7 +48,7 @@ sub configure {
if ($ENV{LDFLAGS} && ! compat(8)) {
push @flags, "--config", "ld=$Config{ld} $ENV{CFLAGS} $ENV{LDFLAGS}";
}
- $this->do_perl("Build.PL", "--installdirs", "vendor", @flags, @_);
+ $this->do_perl("-I.", "Build.PL", "--installdirs", "vendor", @flags, @_);
}
sub build {
diff --git a/Debian/Debhelper/Buildsystem/perl_makemaker.pm b/Debian/Debhelper/Buildsystem/perl_makemaker.pm
index 60cda3d..c4f6b42 100644
--- a/Debian/Debhelper/Buildsystem/perl_makemaker.pm
+++ b/Debian/Debhelper/Buildsystem/perl_makemaker.pm
@@ -54,7 +54,7 @@ sub configure {
push @flags, "LD=$Config{ld} $ENV{CFLAGS} $ENV{LDFLAGS}";
}
- $this->doit_in_sourcedir("perl", "Makefile.PL", "INSTALLDIRS=vendor",
+ $this->doit_in_sourcedir("perl", "-I.", "Makefile.PL", "INSTALLDIRS=vendor",
# if perl_build is not tested first, need to pass packlist
# option to handle fallthrough case
(compat(7) ? "create_packlist=0" : ()),
diff --git a/debian/changelog b/debian/changelog
index a6408c7..d1455c4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for
+ CVE-2016-1238
+
+ -- Dominic Hargreaves <dom@earth.li> Thu, 07 Jul 2016 16:53:02 +0200
+
debhelper (9.20150101) unstable; urgency=medium
[ Niels Thykier ]
--
2.1.4
>From 142436ea9b345e35c70c55cb3163b6dfe4c32385 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <dom@earth.li>
Date: Wed, 20 Jul 2016 00:25:25 +0100
Subject: [PATCH 2/4] Export PERL_USE_UNSAFE_INC to fix a further set of
packages which fail to build with . removed from @INC
---
Debian/Debhelper/Dh_Lib.pm | 5 +++++
debian/changelog | 2 ++
2 files changed, 7 insertions(+)
diff --git a/Debian/Debhelper/Dh_Lib.pm b/Debian/Debhelper/Dh_Lib.pm
index 0519d20..64ea4ac 100644
--- a/Debian/Debhelper/Dh_Lib.pm
+++ b/Debian/Debhelper/Dh_Lib.pm
@@ -982,6 +982,11 @@ sub set_buildflags {
return if $ENV{DH_INTERNAL_BUILDFLAGS} || compat(8);
$ENV{DH_INTERNAL_BUILDFLAGS}=1;
+ # Export PERL_USE_UNSAFE_INC as a transitional step to allow us
+ # to remove . from @INC by default without breaking packages which
+ # rely on this [CVE-2016-1238]
+ $ENV{PERL_USE_UNSAFE_INC}=1;
+
eval "use Dpkg::BuildFlags";
if ($@) {
warning "unable to load build flags: $@";
diff --git a/debian/changelog b/debian/changelog
index d1455c4..c5d2a6d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
* Non-maintainer upload.
* Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for
CVE-2016-1238
+ * Export PERL_USE_UNSAFE_INC to fix a further set of packages which
+ fail to build with . removed from @INC
-- Dominic Hargreaves <dom@earth.li> Thu, 07 Jul 2016 16:53:02 +0200
--
2.1.4
>From 4ba75eee566c3a6af6c75c2119d938e3fb7796b9 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <dom@earth.li>
Date: Sun, 24 Jul 2016 19:12:52 +0100
Subject: [PATCH 3/4] releasing package debhelper version 9.20150101+deb8u1
---
debian/changelog | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index c5d2a6d..dcaa609 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
+debhelper (9.20150101+deb8u1) jessie-security; urgency=high
* Non-maintainer upload.
* Invoke Makefile.PL and Build.PL with perl -I. as part of the fixes for
@@ -6,7 +6,7 @@ debhelper (9.20150101+deb8u1) UNRELEASED; urgency=medium
* Export PERL_USE_UNSAFE_INC to fix a further set of packages which
fail to build with . removed from @INC
- -- Dominic Hargreaves <dom@earth.li> Thu, 07 Jul 2016 16:53:02 +0200
+ -- Dominic Hargreaves <dom@earth.li> Sun, 24 Jul 2016 19:12:37 +0100
debhelper (9.20150101) unstable; urgency=medium
--
2.1.4
>From 4e26f80bed689eea059c64e48b42bfc358119eea Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <dom@earth.li>
Date: Sun, 24 Jul 2016 20:16:48 +0100
Subject: [PATCH 4/4] Re-upload to security-master
---
debian/changelog | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index dcaa609..85cb55f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debhelper (9.20150101+deb8u2) jessie-security; urgency=high
+
+ * Non-maintainer upload.
+ * Re-upload to security-master
+
+ -- Dominic Hargreaves <dom@earth.li> Sun, 24 Jul 2016 20:13:55 +0100
+
debhelper (9.20150101+deb8u1) jessie-security; urgency=high
* Non-maintainer upload.
--
2.1.4
Reply to: