Bug#695224: Locale::Maketext security fix: real world breakage?

[Dominic Hargreaves]

On Fri, Jan 18, 2013 at 03:06:38PM +0000, Dominic Hargreaves wrote:
> On Wed, Dec 05, 2012 at 04:05:01PM -0500, Ricardo Signes wrote:
> > * Dominic Hargreaves <dom at earth.li> [2012-12-05T13:51:19]
> > > I wondered (and the question has arised within the Debian project) whether
> > > anyone might be relying on the previous behaviour? Have you been able to do
> > > any assessment of this?
> > 
> > It's difficult to say, unfortunately, because (I suppose) most projects that
> > would use Locale::Maketext would not be CPAN projects, and so finding them is
> > not trivial.
> > 
> > I did do some grepping of the CPAN and found zero cases.
> > 
> > It should be quite easy to add this behavior back as optional, if we find
> > we've broken anything.
> 
> Hi,
> 
> A fix for that has been in Debian unstable/testing for the past month
> and we've had no reports of problems. That doesn't mean everything, of
> course, but it is probably time to decide whether to push this out to
> Debian stable. As such I'd be very interested in hearing from anyone
> who has real world examples of this breaking things.

I had no replies about this, so I think it's time to bite the bullet
and decide whether we should target this fix at

- stable-security
- stable
- neither of the above.

I think I'm leaning towards stable on the basis that that's a slightly
safer place to land a possibly-problematic fix, as well as the fact I
don't know of any real world exploits for this, but I an open to (and
welcome) all comments.

I seem to remember reading that a point release of squeeze is
due quite soon, but I couldn't find an announcment of such.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)