Bug#631529: Missing fix for CVE-2010-1447
Dominic Hargreaves
dom at earth.li
Tue Jun 28 20:55:26 UTC 2011
On Tue, Jun 28, 2011 at 06:28:52PM +0200, Moritz Muehlenhoff wrote:
> On Tue, Jun 28, 2011 at 02:26:27PM +0300, Niko Tyni wrote:
> > > But this software must've already been broken with the initial Safe.pm fix for
> > > Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)
> >
> > No, it's really this fix for CVE-2010-1447 that breaks it.
> >
> > I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1
> > builds fine without CVE-2010-1447.patch, but applying the patch
> > manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case,
> > /usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash
> > and burn.
> >
> > I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of
> > this; quoting myself in #582978:
> >
> > Upstream is now at 2.27, which has further related changes and was also
> > bundled with Perl 5.12.1. However, it causes regressions in (at least)
> > libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
> > two regressions don't happen with 2.25.
> >
> > See also my mail to team at security.debian.org in January 2011 with
> > CVE-2010-1168 in the subject and
> > Message-ID: <20110114185338.GA25109 at madeleine.local.invalid>
> >
> >
> > Fortunately libtext-micromason-perl isn't a problem in this context:
> > - it's not in Lenny at all
> > - the Squeeze package got fixed in time, and I've verified the it still
> > builds with CVE-2010-1447.patch
>
> Ahh, I forgot that mail. Personally I would think the perl update is
> more important than Petal, which is dead upstream and has hardly
> any users in popcon. We can add a note to the DSA, so that people
> who really need it can set the old Perl package on hold. If there's
> no fix for Petal in the next months it can be removed in a point
> update.
>
> Dominic, Niko, do you agree? I would leave the decision to the Perl
> maintainers.
I'm happy with this. I'm CCing the Debian perl group in case there
are any additional views there (please see the log at
<http://bugs.debian.org/631529> for the full context.
Thanks,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-perl-maintainers
mailing list