Bug#631529: Missing fix for CVE-2010-1447

Moritz Muehlenhoff jmm at inutil.org
Tue Jun 28 16:28:52 UTC 2011


On Tue, Jun 28, 2011 at 02:26:27PM +0300, Niko Tyni wrote:
> > But this software must've already been broken with the initial Safe.pm fix for
> > Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)
> 
> No, it's really this fix for CVE-2010-1447 that breaks it.
> 
> I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1
> builds fine without CVE-2010-1447.patch, but applying the patch
> manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case,
> /usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash
> and burn.
> 
> I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of
> this; quoting myself in #582978:
> 
>   Upstream is now at 2.27, which has further related changes and was also
>   bundled with Perl 5.12.1. However, it causes regressions in (at least)
>   libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
>   two regressions don't happen with 2.25. 
> 
> See also my mail to team at security.debian.org in January 2011 with
> CVE-2010-1168 in the subject and
>  Message-ID: <20110114185338.GA25109 at madeleine.local.invalid>
> 
> 
> Fortunately libtext-micromason-perl isn't a problem in this context:
>   - it's not in Lenny at all 
>   - the Squeeze package got fixed in time, and I've verified the it still
>     builds with CVE-2010-1447.patch

Ahh, I forgot that mail. Personally I would think the perl update is
more important than Petal, which is dead upstream and has hardly
any users in popcon. We can add a note to the DSA, so that people
who really need it can set the old Perl package on hold. If there's
no fix for Petal in the next months it can be removed in a point
update.

Dominic, Niko, do you agree? I would leave the decision to the Perl
maintainers.

Cheers,
        Moritz










More information about the Perl-maintainers mailing list