Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Salvatore Bonaccorso
carnil at debian.org
Thu Mar 14 11:55:28 UTC 2013
Hi all
On Thu, Mar 14, 2013 at 08:54:06AM -0000, Steve Hay wrote:
> Niko Tyni wrote on 2013-03-13:
> > On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
> >> Dominic Hargreaves wrote on 2013-03-12:
> >
> >>> When trying to fix this issue in Debian stable, I found that the
> patch
> >>> at
> >>>
> >>> http://svn.apache.org/viewvc?view=revision&revision=1455340
> >>>
> >>> does not stop the test failing when applied to 2.0.4 (as currently
> >>> found in Debian stable) and built against the current perl package
> >>> in Debian stable (5.10 + the rehashing fix).
> >
> >> I haven't looked at the Debian package, or tried anything with
> >> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
> >> Perl git repo (in fact, I took the snapshot at
> >>
> >>
> http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
> >> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
> mod_perl
> >> from trunk and the tests all pass for me... (This is on Windows 7 x64
> >> with VC++ 2010.)
> >
> > Thanks for checking.
> >
> > FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
> > and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
> to
> > be a Debian change that breaks it. Maybe -Dusethreads or something
> like
> > that.
> >
> > I'll keep looking and send an update when I know more.
>
>
> The perl I built and tested with was made with ithreads enabled.
>
> There is an alternative patch to fix this test, submitted to mod_perl's
> rt.cpan.org queue after I'd applied the patch from the perl5-security
> queue on rt.perl.org:
>
> https://rt.cpan.org/Ticket/Display.html?id=83916
>
> I haven't tried it myself yet, but is that any better for you?
I tried to rebuild the Squeeze package with the mentioned first patch,
the package builds now. Disclaimer: only did the build but haven't
looked what's actually changing importantly.
Thanky you Steve.
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libapache2-mod-perl2_2.0.4-7+squeeze1_amd64.build.gz
Type: application/octet-stream
Size: 33640 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20130314/c3f637a5/attachment-0001.obj>
More information about the pkg-perl-maintainers
mailing list