Bug#1023422: FTBFS: test failure

gregor herrmann gregoa at debian.org
Fri Nov 11 14:38:30 GMT 2022 

On Thu, 03 Nov 2022 20:39:02 +0100, gregor herrmann wrote:

> As also seen on ci.debian.net, minilla recently started to fail its
> test suite, which also makes it FTBFS:

> Test Summary Report
> -------------------
> t/filegatherer.t                           (Wstat: 65280 (exited 255) Tests: 2 Failed: 1)
>   Failed test:  2
>   Non-zero exit status: 255
>   Parse errors: No plan found in TAP output
> t/filegatherer/submodules-recursive.t      (Wstat: 65280 (exited 255) Tests: 2 Failed: 1)
>   Failed test:  2
>   Non-zero exit status: 255
>   Parse errors: No plan found in TAP output
> t/project/in_submodule.t                   (Wstat: 65280 (exited 255) Tests: 1 Failed: 1)
>   Failed test:  1
>   Non-zero exit status: 255
>   Parse errors: No plan found in TAP output
> 
> 
> This may or may not be related to recent changes in git:
> 
> git (1:2.38.1-1) unstable; urgency=medium
> 
>   * new upstream release (closes: #1022046; see RelNotes/2.38.0.txt,
>     RelNotes/2.38.1.txt).
>     * Addresses the security issue CVE-2022-39253: cloning an
>       attacker-controlled local repository could store arbitrary files
>       in the ".git" directory of the destination repository.
> 
>       Thanks to Cory Snider of Mirantis for reporting this
>       vulnerability and Taylor Blau for the mitigation.
> 
>     * Addresses CVE-2022-39260: a long command string passed to a `git
>       shell` configured to support custom commands could overflow and
>       run arbitrary code.
> 
>       Thanks to Kevin Backhouse of GitHub for reporting this
>       vulnerability and Kevin Backhouse, Jeff King, and Taylor Blau
>       for mitigating it.

Preliminary patch at
https://salsa.debian.org/perl-team/modules/packages/minilla/-/blob/master/debian/patches/git-2.38.1.patch
(inspired by https://github.com/book/Git-Repository/pull/22 and
https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html
), feedback welcome.

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20221111/3657410c/attachment.sig>

More information about the pkg-perl-maintainers mailing list