Debian Bug report logs - #695224
perl-modules: Locale::Maketext code injection

version graph

Package: perl-modules; Maintainer for perl-modules is Niko Tyni <ntyni@debian.org>; Source for perl-modules is src:perl.

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Wed, 5 Dec 2012 17:51:04 UTC

Severity: grave

Tags: patch, security

Found in versions perl/5.10.1-17squeeze4, perl/5.14.2-15

Fixed in versions perl/5.14.2-16, perl/5.16.2-2, perl/5.10.1-17squeeze5

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Wed, 05 Dec 2012 17:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 05 Dec 2012 17:51:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: submit@bugs.debian.org
Subject: perl-modules: Locale::Maketext code injection
Date: Wed, 5 Dec 2012 17:49:47 +0000
Package: perl-modules
Severity: important
Version: 5.14.2-15

----- Forwarded message from Ricardo Signes <perl.p5p@rjbs.manxome.org> -----

Date: Wed, 5 Dec 2012 10:51:47 -0500
From: Ricardo Signes <perl.p5p@rjbs.manxome.org>
To: perl5-porters@perl.org
Subject: security notice: Locale::Maketext
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.1
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2


Locale::Maketext is a core l10n library that expands templates found in
strings.

Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
and these fixes are now in blead and on the CPAN.

The commit in question is
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

The flaws are:

* in a [method,x,y,z] template, the method could be a fully-qualified name
* template expansion did not properly quote metacharacters, allowing
  code injection through a malicious template

Please upgrade your Locale::Maketext, especially if you allow user-provided
templates.

-- 
rjbs



----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Added tag(s) security. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Wed, 05 Dec 2012 17:57:03 GMT) Full text and rfc822 format available.

Severity set to 'grave' from 'important' Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Wed, 05 Dec 2012 18:48:05 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Wed, 05 Dec 2012 18:57:05 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sun, 09 Dec 2012 00:21:04 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Mon, 10 Dec 2012 15:06:10 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Mon, 10 Dec 2012 15:06:10 GMT) Full text and rfc822 format available.

Message #18 received at 695224-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 695224-close@bugs.debian.org
Subject: Bug#695224: fixed in perl 5.14.2-16
Date: Mon, 10 Dec 2012 15:05:53 +0000
Source: perl
Source-Version: 5.14.2-16

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 695224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Dec 2012 12:47:14 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14 libperl-dev perl
Architecture: source all i386
Version: 5.14.2-16
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.14 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 693420 695223 695224
Changes: 
 perl (5.14.2-16) unstable; urgency=medium
 .
   * [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
     CRLF escaping (Closes: #693420)
   * [SECURITY] Fix misparsing of maketext strings which could allow
     arbitrary code execution from untrusted maketext templates
     (Closes: #695224)
   * [SECURITY] add warning to Storable documentation that Storable
     documents should not be accepted from untrusted sources
     (Closes: #695223)
Checksums-Sha1: 
 c8b7f6a30c413ea4b2e5c896cf1d17b13bafcbe2 1721 perl_5.14.2-16.dsc
 9e8d151dcf329576a4b1a7657e9268dec06d0243 155151 perl_5.14.2-16.debian.tar.gz
 e718582112c701aa54bc551bd46eb852c4644d40 74914 libcgi-fast-perl_5.14.2-16_all.deb
 c8a40a664daeaac9caa70bba041de708d4d4aefc 8166594 perl-doc_5.14.2-16_all.deb
 e9570fa287f148c8f23c186293ad32c240c6b220 3439114 perl-modules_5.14.2-16_all.deb
 60c6d439372d063f69608a27a2a1bed02c01d6d7 1493988 perl-base_5.14.2-16_i386.deb
 00b6946d0b2e1c268255be9da86bbbf18c083c45 9225014 perl-debug_5.14.2-16_i386.deb
 1965addcfa618214b57a71e7ab134c9cd6fcff24 731478 libperl5.14_5.14.2-16_i386.deb
 5bcb88cbcf38056ca23ea6bf045b6e09e15da29a 3054592 libperl-dev_5.14.2-16_i386.deb
 22f7f5b2ed3af5d54aabb2ef2b12b09f6f9a641a 3700978 perl_5.14.2-16_i386.deb
Checksums-Sha256: 
 024b02816fce4888c75c2e4a41c25ea751c01cf40b138c51294fd14a4642cfde 1721 perl_5.14.2-16.dsc
 ddd143e1ea79a706731bd362a421518f53cf1f8c8e7c431f95691787b8ba4117 155151 perl_5.14.2-16.debian.tar.gz
 55eef21650fcdec9fd64a32519da6625cbef8011ef3020b907a2d01b25478085 74914 libcgi-fast-perl_5.14.2-16_all.deb
 f4bc71ed91c741dc16353f4c2ddaaa27bffcc8db64c216eaefe93c56f3dc926d 8166594 perl-doc_5.14.2-16_all.deb
 fdb7a02824aecc27a0616295990cd2fd5661d23997334aafa1d607b03ca07c84 3439114 perl-modules_5.14.2-16_all.deb
 59deffd6f8f982874b684014a37df8abc5311e7a5c1f4aec5642aa4ee05e2f7c 1493988 perl-base_5.14.2-16_i386.deb
 83590a117136029682c5a542d3d48459183f652cace5905cb029ad8f5d56e1a2 9225014 perl-debug_5.14.2-16_i386.deb
 4af5cb0c464a7afc92a83b90d4fe00988b1bfcc3b22bbb9ba6fc54aafbd2fda2 731478 libperl5.14_5.14.2-16_i386.deb
 e0a8860044e28dc0b3c1f1fca6b2b62dc287b67ee5cc8746492f92212d359b80 3054592 libperl-dev_5.14.2-16_i386.deb
 c87257ae8f7221eeb523094bf578ae5fc4673b6af4a88e54ad9e238c5494f9ba 3700978 perl_5.14.2-16_i386.deb
Files: 
 858164359163428bf082fad51e300b7a 1721 perl standard perl_5.14.2-16.dsc
 c5ae3219697cd323db59faa0d5aa53cd 155151 perl standard perl_5.14.2-16.debian.tar.gz
 303efa86279da45a8badeb4fd3e8ae0b 74914 perl optional libcgi-fast-perl_5.14.2-16_all.deb
 ad770d4148849db198b4c857bbcc8340 8166594 doc optional perl-doc_5.14.2-16_all.deb
 b4cfa2c0f754258e07c089bc4bcf18d1 3439114 perl standard perl-modules_5.14.2-16_all.deb
 bba51c64dd09a6e47d9b3f80416eb692 1493988 perl required perl-base_5.14.2-16_i386.deb
 a73a0072a482104c3e59711db2a09f2e 9225014 debug extra perl-debug_5.14.2-16_i386.deb
 043212af3300bc414fddadfcdacbbdcd 731478 libs optional libperl5.14_5.14.2-16_i386.deb
 9681b4d187a5901b74dfc7f1fbf04304 3054592 libdevel optional libperl-dev_5.14.2-16_i386.deb
 7ea94b65ead39491b13e6a3c00a8d492 3700978 perl standard perl_5.14.2-16_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQxeayYzuFKFF44qURAr/PAJ4yAHz2cl1U+O0fZdG2aiPw0qEGHwCaAgB/
jQIpgbLwRp7n3lwotLWi8pw=
=8cNp
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Thu, 13 Dec 2012 15:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 13 Dec 2012 15:30:05 GMT) Full text and rfc822 format available.

Message #23 received at 695224@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 695224@bugs.debian.org, control@bugs.debian.org
Subject: affects stable
Date: Thu, 13 Dec 2012 15:26:48 +0000
found 695224 5.10.1-17squeeze4
thanks

Please note that since the upstream fix for this issue could potentially
break code relying on the old behaviour, we are holding off updating this
in stable until the fix has been in unstable/testing for a little while
longer.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Marked as found in versions perl/5.10.1-17squeeze4. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 13 Dec 2012 15:30:07 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sun, 13 Jan 2013 19:21:09 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Sun, 13 Jan 2013 19:21:09 GMT) Full text and rfc822 format available.

Message #30 received at 695224-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 695224-close@bugs.debian.org
Subject: Bug#695224: fixed in perl 5.16.2-2
Date: Sun, 13 Jan 2013 19:18:08 +0000
Source: perl
Source-Version: 5.16.2-2

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 695224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Jan 2013 17:54:46 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.16 libperl-dev perl
Architecture: source all i386
Version: 5.16.2-2
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.16 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 688842 689713 693420 695223 695224
Changes: 
 perl (5.16.2-2) experimental; urgency=low
 .
   [ Dominic Hargreaves ]
   * Merge 5.14.2-15 and 5.14.2-16 from unstable
     + [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
       CRLF escaping (Closes: #693420)
     + [SECURITY] Fix misparsing of maketext strings which could allow
       arbitrary code execution from untrusted maketext templates
       (Closes: #695224)
     + [SECURITY] add warning to Storable documentation that Storable
       documents should not be accepted from untrusted sources
       (Closes: #695223)
     + Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent
       is writable. (Closes: #688842)
     + Don't overwrite $Config{lddlflags} or ccdlflags on GNU/kFreeBSD.
       (Closes: #689713)
 .
   [ Niko Tyni ]
   * Minor packaging improvements:
     + present Debian bugs consistently in patchlevel.h.
     + use gzip -n for reproducible results
     + support comments in file lists
     + fix a syntax error in debian/copyright
     + support the '**' notation in file lists for matching subdirectories
Checksums-Sha1: 
 e4b3e06d1e64437fb251538373ce56d7bff93194 1717 perl_5.16.2-2.dsc
 45f4a41b579794e8b80a1e94c04c3090ee78acfd 126313 perl_5.16.2-2.debian.tar.gz
 f35a52639ed1641b92a5ba705aa4600d76d49645 75194 libcgi-fast-perl_5.16.2-2_all.deb
 7ba4b0b01b1a73ac34a6b377426cd2d47513350d 7898372 perl-doc_5.16.2-2_all.deb
 2c77b400b64b97cf66ccde1d45e7766e871221d6 3835664 perl-modules_5.16.2-2_all.deb
 d7103219422b1fd00fe5e9bb1a116fa0fe400944 1528168 perl-base_5.16.2-2_i386.deb
 58c306ced8704bca475d42b883b50b3dcb785ec0 9258256 perl-debug_5.16.2-2_i386.deb
 563b5d8be96f2d20299bef88a3a4bc4eabd9e59c 763060 libperl5.16_5.16.2-2_i386.deb
 113248711a8e9620b5f25100c28d77ef0b480059 3161862 libperl-dev_5.16.2-2_i386.deb
 8b970007af831d53a2aa77b1356ff4cc9b60cb9e 3706428 perl_5.16.2-2_i386.deb
Checksums-Sha256: 
 55afde9c3091207071421a53744b81c066a2287db98deddd25514b4a73cca02a 1717 perl_5.16.2-2.dsc
 b7052be9875eb7180e4935ec478f9b34b3043211f9842ed594bd4a7996a13b6f 126313 perl_5.16.2-2.debian.tar.gz
 b8ee8db139ec16c4fcc67cdbe2d3931225224c2acebade4ba89f5ce23a32feca 75194 libcgi-fast-perl_5.16.2-2_all.deb
 71b36fe06badd80707b3623904b179aed752d08a914eac05c8c73ee88e18de86 7898372 perl-doc_5.16.2-2_all.deb
 495497985add85a5f51f924c6eb5d0bbc4b4352218c0814a70d89f6b1b3cbc55 3835664 perl-modules_5.16.2-2_all.deb
 ebc48a7dd8dd5a8dd4fe42b4f8f597c6a8ea939d9e7b15fad6c3a837dcbae8f3 1528168 perl-base_5.16.2-2_i386.deb
 a17741bcbb0cb6a586e22b74487b8d886aac5a0b9ef2aef6df9d9e63ceae8820 9258256 perl-debug_5.16.2-2_i386.deb
 9966dc497dcdb3dc2c7e8aacf7f5b65548a909eafdcdde1fdeafd58809b74daf 763060 libperl5.16_5.16.2-2_i386.deb
 c263ab4261dd1f1514e328fc16abae37b7951f3bfef311b56ec417dfc91c4275 3161862 libperl-dev_5.16.2-2_i386.deb
 8e25964f99ec08512c682f0f3f06401cb617b9d0a994f79bb20e5f693c6f0337 3706428 perl_5.16.2-2_i386.deb
Files: 
 33b5ad74e6fab2c4a8048c821ba87de6 1717 perl standard perl_5.16.2-2.dsc
 1bf8cb9d8cebb7302c330f750e7de87f 126313 perl standard perl_5.16.2-2.debian.tar.gz
 f83d7d77d4011929ae765f34fba0060c 75194 perl optional libcgi-fast-perl_5.16.2-2_all.deb
 99bd3f331445798becb7d07981b50117 7898372 doc optional perl-doc_5.16.2-2_all.deb
 52ef6739bd98877650e8c16267e845d1 3835664 perl standard perl-modules_5.16.2-2_all.deb
 33b977277351659b21de478f7cf80800 1528168 perl required perl-base_5.16.2-2_i386.deb
 26b38fd30eeaf7020a5117d7114576ff 9258256 debug extra perl-debug_5.16.2-2_i386.deb
 e889ff8cdf2a85328b36c510ea2b24af 763060 libs optional libperl5.16_5.16.2-2_i386.deb
 c9939918766edb19c3d45fc17bdbf0d3 3161862 libdevel optional libperl-dev_5.16.2-2_i386.deb
 78742ae86a9ad452e98db4f6780fb215 3706428 perl standard perl_5.16.2-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQ8wPAYzuFKFF44qURAu9iAKCo9QnWpOhrwPapXNfgxyK4O64FCACfcsSa
wbHqMCIRl4SVYv6sDpSIo8k=
=pe2l
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Fri, 18 Jan 2013 15:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Fri, 18 Jan 2013 15:09:07 GMT) Full text and rfc822 format available.

Message #35 received at 695224@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: perl5-porters@perl.org, 695224@bugs.debian.org
Subject: Locale::Maketext security fix: real world breakage?
Date: Fri, 18 Jan 2013 15:06:38 +0000
On Wed, Dec 05, 2012 at 04:05:01PM -0500, Ricardo Signes wrote:
> * Dominic Hargreaves <dom@earth.li> [2012-12-05T13:51:19]
> > I wondered (and the question has arised within the Debian project) whether
> > anyone might be relying on the previous behaviour? Have you been able to do
> > any assessment of this?
> 
> It's difficult to say, unfortunately, because (I suppose) most projects that
> would use Locale::Maketext would not be CPAN projects, and so finding them is
> not trivial.
> 
> I did do some grepping of the CPAN and found zero cases.
> 
> It should be quite easy to add this behavior back as optional, if we find
> we've broken anything.

Hi,

A fix for that has been in Debian unstable/testing for the past month
and we've had no reports of problems. That doesn't mean everything, of
course, but it is probably time to decide whether to push this out to
Debian stable. As such I'd be very interested in hearing from anyone
who has real world examples of this breaking things.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Mon, 04 Feb 2013 20:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 04 Feb 2013 20:30:03 GMT) Full text and rfc822 format available.

Message #40 received at 695224@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 695224@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#695224: Locale::Maketext security fix: real world breakage?
Date: Mon, 4 Feb 2013 20:28:16 +0000
On Fri, Jan 18, 2013 at 03:06:38PM +0000, Dominic Hargreaves wrote:
> On Wed, Dec 05, 2012 at 04:05:01PM -0500, Ricardo Signes wrote:
> > * Dominic Hargreaves <dom@earth.li> [2012-12-05T13:51:19]
> > > I wondered (and the question has arised within the Debian project) whether
> > > anyone might be relying on the previous behaviour? Have you been able to do
> > > any assessment of this?
> > 
> > It's difficult to say, unfortunately, because (I suppose) most projects that
> > would use Locale::Maketext would not be CPAN projects, and so finding them is
> > not trivial.
> > 
> > I did do some grepping of the CPAN and found zero cases.
> > 
> > It should be quite easy to add this behavior back as optional, if we find
> > we've broken anything.
> 
> Hi,
> 
> A fix for that has been in Debian unstable/testing for the past month
> and we've had no reports of problems. That doesn't mean everything, of
> course, but it is probably time to decide whether to push this out to
> Debian stable. As such I'd be very interested in hearing from anyone
> who has real world examples of this breaking things.

I had no replies about this, so I think it's time to bite the bullet
and decide whether we should target this fix at

- stable-security
- stable
- neither of the above.

I think I'm leaning towards stable on the basis that that's a slightly
safer place to land a possibly-problematic fix, as well as the fact I
don't know of any real world exploits for this, but I an open to (and
welcome) all comments.

I seem to remember reading that a point release of squeeze is
due quite soon, but I couldn't find an announcment of such.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Wed, 06 Feb 2013 16:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 06 Feb 2013 16:24:03 GMT) Full text and rfc822 format available.

Message #45 received at 695224@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Dominic Hargreaves <dom@earth.li>
Cc: 695224@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#695224: Locale::Maketext security fix: real world breakage?
Date: Wed, 06 Feb 2013 16:59:17 +0100
[Message part 1 (text/plain, inline)]
Hi Dominic,

On 04/02/2013 21:28, Dominic Hargreaves wrote:
> I had no replies about this, so I think it's time to bite the bullet
> and decide whether we should target this fix at
> 
> - stable-security
> - stable
> - neither of the above.
> 
> I think I'm leaning towards stable on the basis that that's a slightly
> safer place to land a possibly-problematic fix, as well as the fact I
> don't know of any real world exploits for this, but I an open to (and
> welcome) all comments.
> 
> I seem to remember reading that a point release of squeeze is
> due quite soon, but I couldn't find an announcment of such.

from http://openwall.com/lists/oss-security/2012/12/11/4:

"I think the vulnerability is effective only when attacker has first
argument of maketext() under control.

However that means the attacker can run any code even without this
`vulnerability'. It's like saying glibc's gettext() is vulnerable. But
that's not true.

Sure gettext("%s", user_input) is not safe, but this is flaw in the
caller, not in the gettext. The same applies to
Locale::Maketext::maketext().

Petr Pisar 2012-12-06 11:18:46 EST"


This is CVE-2012-6329 and I think this doesn't warrant a DSA, please fix
it in stable.


Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sun, 17 Feb 2013 00:21:08 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Sun, 17 Feb 2013 00:21:08 GMT) Full text and rfc822 format available.

Message #50 received at 695224-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 695224-close@bugs.debian.org
Subject: Bug#695224: fixed in perl 5.10.1-17squeeze5
Date: Sun, 17 Feb 2013 00:17:05 +0000
Source: perl
Source-Version: 5.10.1-17squeeze5

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 695224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 16 Feb 2013 19:00:31 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-17squeeze5
Distribution: stable
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 695224
Changes: 
 perl (5.10.1-17squeeze5) stable; urgency=low
 .
   * [SECURITY] CVE-2012-6329: Fix misparsing of maketext strings which
     could allow arbitrary code execution from untrusted maketext templates
     (Closes: #695224)
Checksums-Sha1: 
 8c72b0929240f1ea92136bca9895d0a25a138d43 1422 perl_5.10.1-17squeeze5.dsc
 cdcd4aacaa51b069e4bedb46efaa4a2c6bce351a 122627 perl_5.10.1-17squeeze5.debian.tar.gz
 f0d80bf963fac45caaacb563b7b22d3fd4340d72 53164 libcgi-fast-perl_5.10.1-17squeeze5_all.deb
 c67f20e20758909002446195bbde2468cefd1397 7190518 perl-doc_5.10.1-17squeeze5_all.deb
 3d27175e9a6d640bbaf239c67e496fec58086861 3490822 perl-modules_5.10.1-17squeeze5_all.deb
 eed5c50fc8997388fca45f12d11db8a9cd9e5aab 980678 perl-base_5.10.1-17squeeze5_i386.deb
 8a15bd198a5fe08d0c0d5844644066167fcd0338 6631194 perl-debug_5.10.1-17squeeze5_i386.deb
 1d7f82c5b7662392d354e90455172f282b73ae9b 33244 perl-suid_5.10.1-17squeeze5_i386.deb
 f2dd317b089dedc82310ca0da3d9a676789fb8ed 633128 libperl5.10_5.10.1-17squeeze5_i386.deb
 60129a0055a1f6ac42a499e30b47a3040b0cdf17 2344808 libperl-dev_5.10.1-17squeeze5_i386.deb
 54f4217589158be37ed5111feea1cc8b126fff0f 3780318 perl_5.10.1-17squeeze5_i386.deb
Checksums-Sha256: 
 53b1e4d942da6b6acfefdc1f37c152198aaae2c10d1c4ec6575b3a0457f3119f 1422 perl_5.10.1-17squeeze5.dsc
 0502185a1c2d583d83f9f73f7c76505e57794bbe495954d5c688c72e875e47e1 122627 perl_5.10.1-17squeeze5.debian.tar.gz
 85f182dc5fe0cff5962ef237cca07590fcbc3494bf8fc8ba6ee6df91439230b0 53164 libcgi-fast-perl_5.10.1-17squeeze5_all.deb
 28bd29a9a9d0c4dab6c59641c49c0e08bb1c8950ee39ca2992c31c3f59f05833 7190518 perl-doc_5.10.1-17squeeze5_all.deb
 ee9b0f6033dc03f7d9a6da5b79a49cedd261baf91f707019cfd910d20844ab17 3490822 perl-modules_5.10.1-17squeeze5_all.deb
 16842140b8d071eeb5b059d8e3c0d325740c7b3c978d4171d6d2b87ba36765ee 980678 perl-base_5.10.1-17squeeze5_i386.deb
 b9a68b4f05fe1206b13fd93d2f52dde8117f92ab7d505af82f759a062c3a18b5 6631194 perl-debug_5.10.1-17squeeze5_i386.deb
 2eeec97f04553220a613a4f598b5188affa80ce57a2e7dd80e245c20caf243a2 33244 perl-suid_5.10.1-17squeeze5_i386.deb
 2d2d07619c6aa5de70789f8501e4b16dbc5b0a79cadca32d6f6f97bd76194ab4 633128 libperl5.10_5.10.1-17squeeze5_i386.deb
 7609b3b7690951d056ee2a8f93a3ff2e5424d76c25a4607c108051ea23eb2c33 2344808 libperl-dev_5.10.1-17squeeze5_i386.deb
 391064d20f7987f2582127367d29b0d4d35744a7c1909e1a18644fe96c831399 3780318 perl_5.10.1-17squeeze5_i386.deb
Files: 
 4217d385ea86365d280f3eaedf511e17 1422 perl standard perl_5.10.1-17squeeze5.dsc
 d9891f099112f9f31df7b0d93ac41af2 122627 perl standard perl_5.10.1-17squeeze5.debian.tar.gz
 e7be9d04dee0aca2371f0f5ba8cdbb47 53164 perl optional libcgi-fast-perl_5.10.1-17squeeze5_all.deb
 1e685207d1d70fb1ba7583f7effd3e0e 7190518 doc optional perl-doc_5.10.1-17squeeze5_all.deb
 a961d6e881f661d9f5bcd14d69278a05 3490822 perl standard perl-modules_5.10.1-17squeeze5_all.deb
 43968c05b345613d0c03b8892d4a0606 980678 perl required perl-base_5.10.1-17squeeze5_i386.deb
 03881a6b92e8b68fdce1531aca9de100 6631194 debug extra perl-debug_5.10.1-17squeeze5_i386.deb
 334d0c55fbead2637db93ad1602b85bb 33244 perl optional perl-suid_5.10.1-17squeeze5_i386.deb
 5dad09ac11890abeac372374bdabe4bf 633128 libs optional libperl5.10_5.10.1-17squeeze5_i386.deb
 63c4e67d5e5542936f4250e3f9c93b32 2344808 libdevel optional libperl-dev_5.10.1-17squeeze5_i386.deb
 de97ac49d413379c81c14b65ff863458 3780318 perl standard perl_5.10.1-17squeeze5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFRIACwYzuFKFF44qURArtuAJ4wEKvdg64cbDnPNRoK8SDR4ZA64wCg8fKr
YVUf4Q/v8LQ8dEeKzAqiZL8=
=ourg
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Mon, 11 Mar 2013 03:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Harvey <csirac2@gmail.com>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 11 Mar 2013 03:39:06 GMT) Full text and rfc822 format available.

Message #55 received at 695224@bugs.debian.org (full text, mbox):

From: Paul Harvey <csirac2@gmail.com>
To: 695224@bugs.debian.org
Cc: foswiki-svn@lists.sourceforge.net, foswiki-security@lists.sourceforge.net
Subject: Re: perl-modules: Locale::Maketext code injection
Date: Mon, 11 Mar 2013 14:37:31 +1100
Hi there,

On Fri, Jan 18, 2013 at 03:06:38PM +0000, Dominic Hargreaves wrote:
...
> Debian stable. As such I'd be very interested in hearing from anyone
> who has real world examples of this breaking things.

It's worth pointing out that you've now got Locale::Maketext 1.23, minus 
the doc changes and version bump. That's the only real code change 
between 1.19 and 1.23 - so calling this 1.19 makes life harder for 
projects like Foswiki to sanity-check the users' environment.

Take a look at the Locale::Maketext 1.19..master diff for yourself: 
https://github.com/toddr/Locale-Maketext/compare/84a644...master

Compared to the diff which I think was applied in perl-modules:

http://perl5.git.perl.org/perl.git/blobdiff/569ba91fcdabdc53eb4284f860a25273bd7fe4e1..1735f6f53ca19f99c6e9e39496c486af323ba6a8:/dist/Locale-Maketext/lib/Locale/Maketext.pm

Foswiki uses Locale::Maketext when internationalization is enabled, so 
we've had our own CVE response - 
http://foswiki.org/Support/SecurityAlert-CVE-2012-6329.

As part of the fix, we perform additional escaping before calling 
Locale::Maketext if the version is < 1.23.

The Debian-patched 1.19 of course already has the escaping code, so we 
end up with double-escaping issues.

As we're now getting user complaints on Debian systems, we will have to 
come up with a technical solution to this problem but I think it'd also 
make sense for Debian to simply ship Locale::Maketext 1.23 proper.

Here's the changelog, FWIW

http://cpansearch.perl.org/src/TODDR/Locale-Maketext-1.23/ChangeLog

Cheers

--
Paul Harvey
Foswiki developer



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Sun, 24 Mar 2013 12:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 24 Mar 2013 12:24:04 GMT) Full text and rfc822 format available.

Message #60 received at 695224@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Paul Harvey <csirac2@gmail.com>, 695224@bugs.debian.org
Cc: foswiki-svn@lists.sourceforge.net, foswiki-security@lists.sourceforge.net
Subject: Re: Bug#695224: perl-modules: Locale::Maketext code injection
Date: Sun, 24 Mar 2013 12:19:59 +0000
Hi Paul,

Sorry for the delay in responding to this...

On Mon, Mar 11, 2013 at 02:37:31PM +1100, Paul Harvey wrote:
> Hi there,
> 
> On Fri, Jan 18, 2013 at 03:06:38PM +0000, Dominic Hargreaves wrote:
> ...
> > Debian stable. As such I'd be very interested in hearing from anyone
> > who has real world examples of this breaking things.
> 
> It's worth pointing out that you've now got Locale::Maketext 1.23,
> minus the doc changes and version bump. That's the only real code
> change between 1.19 and 1.23 - so calling this 1.19 makes life
> harder for projects like Foswiki to sanity-check the users'
> environment.

This is a regrettable state of affairs, indeed. 

> Take a look at the Locale::Maketext 1.19..master diff for yourself:
> https://github.com/toddr/Locale-Maketext/compare/84a644...master
> 
> Compared to the diff which I think was applied in perl-modules:
> 
> http://perl5.git.perl.org/perl.git/blobdiff/569ba91fcdabdc53eb4284f860a25273bd7fe4e1..1735f6f53ca19f99c6e9e39496c486af323ba6a8:/dist/Locale-Maketext/lib/Locale/Maketext.pm
> 
> Foswiki uses Locale::Maketext when internationalization is enabled,
> so we've had our own CVE response -
> http://foswiki.org/Support/SecurityAlert-CVE-2012-6329.
> 
> As part of the fix, we perform additional escaping before calling
> Locale::Maketext if the version is < 1.23.
> 
> The Debian-patched 1.19 of course already has the escaping code, so
> we end up with double-escaping issues.
> 
> As we're now getting user complaints on Debian systems, we will have
> to come up with a technical solution to this problem but I think
> it'd also make sense for Debian to simply ship Locale::Maketext 1.23
> proper.

There's a bit of an awkward issue here in that Locale::Maketext is
bundled with perl, and although I agree it is potentially confusing
to have these sorts of changes applied without version number changes,
changing the version number on the Debian branch is quite likely to be
the source of even more confusion; I don't think there's any precedent for
doing that with a dual-lived module. Practically speaking, I think we will
need to stick with what you'd probably term a workaround, which I assume
is to do some sort of probe for behaviour before using it for real?

Interested in hearing opinions from others, however!

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Mon, 25 Mar 2013 03:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Harvey <csirac2@gmail.com>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 25 Mar 2013 03:03:04 GMT) Full text and rfc822 format available.

Message #65 received at 695224@bugs.debian.org (full text, mbox):

From: Paul Harvey <csirac2@gmail.com>
To: Dominic Hargreaves <dom@earth.li>
Cc: 695224@bugs.debian.org, foswiki-svn@lists.sourceforge.net, foswiki-security@lists.sourceforge.net
Subject: Re: Bug#695224: perl-modules: Locale::Maketext code injection
Date: Mon, 25 Mar 2013 14:00:03 +1100
For the Foswiki project, we can deal with things as-is.

But you have created a new bug, Locale::Maketext 1.23 is being shipped 
as 1.19 and I still don't see how this can ever be a good idea. These 
two versions have different version numbers for a reason: there has been 
a deliberate change which the caller must consider carefully before use. 
If the caller can't trust the API version being reported, what is the 
point of version numbers in the first place?

Our hack to detect Debian's special franken-version is exactly that, a 
hack - and additional complexity we'd very much rather not incur at 
runtime. Or complicate by pre-computing from yet another admin/configure 
UI prompt which could get out-of-sync should liblocale-maketext be 
updated (resulting in double-escaping mess until the user re-runs 
configure UI).

Perhaps I don't know enough about Debian infrastructure but how can this 
situation be easier to deal with than simply updating the rest of the 
.pm including the $VERSION string and POD lines? Especially given that 
your own grepping hasn't exactly overwhelmed with many dependencies on 
Locale::Maketext.

We always try very hard to work with vendor perls, which as you probably 
know, isn't the done thing - try telling perlmonks or #perl on freenode 
you've got this kind of problem, and you'll be asked what kind of idiot 
doesn't compile their own local perl.

Then try telling our userbase they must compile and maintain their own 
local perl.

I didn't start this message intending to drag out my soapbox - I just 
think it's tragic there has to be such a large impedance mismatch 
between distros and perlers.

Thanks for listening

- Paul

On 24/03/13 23:19, Dominic Hargreaves wrote:
> Hi Paul,
>
> Sorry for the delay in responding to this...
>
> On Mon, Mar 11, 2013 at 02:37:31PM +1100, Paul Harvey wrote:
>> Hi there,
>>
>> On Fri, Jan 18, 2013 at 03:06:38PM +0000, Dominic Hargreaves wrote:
>> ...
>>> Debian stable. As such I'd be very interested in hearing from anyone
>>> who has real world examples of this breaking things.
>> It's worth pointing out that you've now got Locale::Maketext 1.23,
>> minus the doc changes and version bump. That's the only real code
>> change between 1.19 and 1.23 - so calling this 1.19 makes life
>> harder for projects like Foswiki to sanity-check the users'
>> environment.
> This is a regrettable state of affairs, indeed.
>
>> Take a look at the Locale::Maketext 1.19..master diff for yourself:
>> https://github.com/toddr/Locale-Maketext/compare/84a644...master
>>
>> Compared to the diff which I think was applied in perl-modules:
>>
>> http://perl5.git.perl.org/perl.git/blobdiff/569ba91fcdabdc53eb4284f860a25273bd7fe4e1..1735f6f53ca19f99c6e9e39496c486af323ba6a8:/dist/Locale-Maketext/lib/Locale/Maketext.pm
>>
>> Foswiki uses Locale::Maketext when internationalization is enabled,
>> so we've had our own CVE response -
>> http://foswiki.org/Support/SecurityAlert-CVE-2012-6329.
>>
>> As part of the fix, we perform additional escaping before calling
>> Locale::Maketext if the version is<  1.23.
>>
>> The Debian-patched 1.19 of course already has the escaping code, so
>> we end up with double-escaping issues.
>>
>> As we're now getting user complaints on Debian systems, we will have
>> to come up with a technical solution to this problem but I think
>> it'd also make sense for Debian to simply ship Locale::Maketext 1.23
>> proper.
> There's a bit of an awkward issue here in that Locale::Maketext is
> bundled with perl, and although I agree it is potentially confusing
> to have these sorts of changes applied without version number changes,
> changing the version number on the Debian branch is quite likely to be
> the source of even more confusion; I don't think there's any precedent for
> doing that with a dual-lived module. Practically speaking, I think we will
> need to stick with what you'd probably term a workaround, which I assume
> is to do some sort of probe for behaviour before using it for real?
>
> Interested in hearing opinions from others, however!
>
> Dominic.
>




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Fri, 29 Mar 2013 14:27:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Fri, 29 Mar 2013 14:27:09 GMT) Full text and rfc822 format available.

Message #70 received at 695224@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Paul Harvey <csirac2@gmail.com>, 695224@bugs.debian.org
Cc: foswiki-svn@lists.sourceforge.net, foswiki-security@lists.sourceforge.net
Subject: Re: Bug#695224: perl-modules: Locale::Maketext code injection
Date: Fri, 29 Mar 2013 14:23:07 +0000
On Mon, Mar 25, 2013 at 02:00:03PM +1100, Paul Harvey wrote:
> For the Foswiki project, we can deal with things as-is.
> 
> But you have created a new bug, Locale::Maketext 1.23 is being
> shipped as 1.19 and I still don't see how this can ever be a good
> idea. These two versions have different version numbers for a
> reason: there has been a deliberate change which the caller must
> consider carefully before use. If the caller can't trust the API
> version being reported, what is the point of version numbers in the
> first place?

I personally think you're slightly overstating this part; in the vast
majority of cases where bugfixes are cherry-picked into the Debian perl
package and the package version number doesn't get changed, no problems
arise. The situation for Locale::Maketext is indeed regrettable and I'm
sorry we didn't foresee the action-at-a-distance the change has caused,
but I don't think we have any practical options at this point, not least
owing to the deep freeze that Debian is now in. I would certainly want
to get the release team's opinion on any further changes (such as pulling
in the updated Locale::Maketext verbatim).

> Our hack to detect Debian's special franken-version is exactly that,
> a hack - and additional complexity we'd very much rather not incur
> at runtime. Or complicate by pre-computing from yet another
> admin/configure UI prompt which could get out-of-sync should
> liblocale-maketext be updated (resulting in double-escaping mess
> until the user re-runs configure UI).
> 
> Perhaps I don't know enough about Debian infrastructure but how can
> this situation be easier to deal with than simply updating the rest
> of the .pm including the $VERSION string and POD lines? Especially
> given that your own grepping hasn't exactly overwhelmed with many
> dependencies on Locale::Maketext.

In general bug-fixes in Debian are pulled in as minimal fixes without
changing the version number. The dual-lived modules in perl make this
all the more complex, especially when the modules don't get the security
fixes in core (maint-5.14 still has Locale::Maketext 1.19). If we did
decide to update the version number of the module in Debian's perl package,
notwithstanding the technical breakage likely to result when it comes
to the packaging infrastructure and Module::Corelist, I wouldn't be
surprised if it resulted in people wondering why we were deviating from
the upstream versioning. (This impedance mismatch is in related to the
fact that perl upstream are more keen to point people at the CPANed
version of modules for bugfixes, whilst in Debian packaging the CPAN
version of a module incurs more overhead, so is less preferred.

I don't claim to know the right way to deal with this problem, now or in
future, but hopefully I've managed to communicate that I don't see an
'obvious' solution.

Again, I welcome comments from other readers.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Sat, 30 Mar 2013 11:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Harvey <csirac2@gmail.com>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sat, 30 Mar 2013 11:51:04 GMT) Full text and rfc822 format available.

Message #75 received at 695224@bugs.debian.org (full text, mbox):

From: Paul Harvey <csirac2@gmail.com>
To: Dominic Hargreaves <dom@earth.li>
Cc: 695224@bugs.debian.org, foswiki-svn@lists.sourceforge.net, foswiki-security@lists.sourceforge.net
Subject: Re: Bug#695224: perl-modules: Locale::Maketext code injection
Date: Sat, 30 Mar 2013 22:49:04 +1100
Thanks Dominic for your pragmatic feedback,

On 30/03/13 01:23, Dominic Hargreaves wrote:
> On Mon, Mar 25, 2013 at 02:00:03PM +1100, Paul Harvey wrote:
>> consider carefully before use. If the caller can't trust the API
>> version being reported, what is the point of version numbers in the
>> first place?
> I personally think you're slightly overstating this part; in the vast
> majority of cases where bugfixes are cherry-picked into the Debian perl
> package and the package version number doesn't get changed, no problems
> arise. The situation for Locale::Maketext is indeed regrettable and I'm

The practice you're describing has its place, I'm not saying debian-perl 
is wasting its time - generally speaking.

But in this instance a breaking change in Locale::Maketext has been 
back-ported. I assume most other fixes which have been backported in the 
past did not fundamentally affect the behaviour of those modules (and 
thus require callers to adapt their code to the new version).

> arise. The situation for Locale::Maketext is indeed regrettable and I'm
> sorry we didn't foresee the action-at-a-distance the change has caused,
> but I don't think we have any practical options at this point, not least

I guess I'm struggling to get my head around that statement: the only, 
*single* line of code (i.e. apart from whitespace/comments/pod) in 
Maketext.pm which differs with upstream 1.23 is now the $VERSION line.

> to get the release team's opinion on any further changes (such as pulling
> in the updated Locale::Maketext verbatim).

I wouldn't be making this noise if I didn't think we already have it 
essentially verbatim already - sans comment/pod lines and the $VERSION.

> In general bug-fixes in Debian are pulled in as minimal fixes without 
> changing the version number. The dual-lived modules in perl make this 
> all the more complex, especially when the modules don't get the 
> security fixes in core (maint-5.14 still has Locale::Maketext 1.19). 
> If we did decide to update the version number of the module in 
> Debian's perl package, notwithstanding the technical breakage likely 
> to result when it comes to the packaging infrastructure and 
> Module::Corelist, I wouldn't be surprised if it resulted in people 
> wondering why we were deviating from the upstream versioning. (This 
> impedance mismatch is in related to the fact that perl upstream are 
> more keen to point people at the CPANed version of modules for 
> bugfixes, whilst in Debian packaging the CPAN version of a module 
> incurs more overhead, so is less preferred. I don't claim to know the 
> right way to deal with this problem, now or in future, but hopefully 
> I've managed to communicate that I don't see an 'obvious' solution. 
> Again, I welcome comments from other readers. Dominic. 

Ok. I can only trust your judgment on this. From my (naive) perspective, 
it seems we're creating avoidable bugs for the sake of... I'm not sure. 
Probably, I really should try to join debian-perl somehow so that I can 
get my head around the infrastructure and processes which have lead to this.

- Paul



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Sun, 31 Mar 2013 16:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 31 Mar 2013 16:51:04 GMT) Full text and rfc822 format available.

Message #80 received at 695224@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: debian-release@lists.debian.org
Cc: 695224@bugs.debian.org, team@security.debian.org
Subject: Locale::Maketext versioning in perl package
Date: Sun, 31 Mar 2013 17:46:12 +0100
[Message part 1 (text/plain, inline)]
Dear release team,

There is a problem with the perl package, as discussed in 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55>
onwards, whereby the application of the security fix in that ticket
now causes double-escaping problems where people workaround the problem
by escaping themselves, when they detect an earlier Locale::Maketext
by version number.

I am slightly wary about importing the new (1.23) version of
Locale::Maketext as I mentioned in that bug already, but my fears may
be unfounded. Could you comment about whether you would accept such
a change in wheezy at this time? (I can't really decide whether it's
RC or not).

I've attached a diff which implements the change in question. I haven't
carried out extensive testing yet, but the package builds fine. The same
change is in the dom/locale-maketext-version branch of the git repository
at <http://anonscm.debian.org/gitweb/?p=perl/perl.git>.

Note that if you approve this, I would still want to get feedback from
Niko, co-maintainer of the perl pacakge, before an upload.

This also affects stable, and so I've also CCed the security team
(the problem was introduced in a DSA).

Thanks as always for your excellent work (especially during the freeze)
and apologies for bringing such a thorny issue to you this close to
release.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
[perl-locale-maketext-versioning.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#695224; Package perl-modules. (Tue, 02 Apr 2013 19:21:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Tue, 02 Apr 2013 19:21:08 GMT) Full text and rfc822 format available.

Message #85 received at 695224@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 695224@bugs.debian.org
Cc: debian-release@lists.debian.org, team@security.debian.org
Subject: Re: Bug#695224: Locale::Maketext versioning in perl package
Date: Tue, 2 Apr 2013 22:15:56 +0300
On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote:
 
> There is a problem with the perl package, as discussed in 
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55>
> onwards, whereby the application of the security fix in that ticket
> now causes double-escaping problems where people workaround the problem
> by escaping themselves, when they detect an earlier Locale::Maketext
> by version number.
> 
> I am slightly wary about importing the new (1.23) version of
> Locale::Maketext as I mentioned in that bug already, but my fears may
> be unfounded. Could you comment about whether you would accept such
> a change in wheezy at this time? (I can't really decide whether it's
> RC or not).

FWIW, it looks clear to me that the only functional changes in the patch
are the $VERSION increments in the .pm files. The rest is documentation
and test cases, and the only important $VERSION is most probably
the main one in Locale/Maketext.pm.

While that change itself is trivial, it has action-at-distance effects -
otherwise this wouldn't be an issue at all. I think the risk potential
is mostly in breaking something that's trusting Module::CoreList
(dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might
be affected somehow too?), and that it's not a very big risk but still
a real one.

Thinking about the necessity of this: Paul is IMO right that security
fixes and other backported stuff usually don't change functionality
API-wise, and I'm generally sympathetic to the idea of incrementing
$VERSION when they do. Unfortunately that's hard to do in the general case
(as the versioning scheme doesn't really support downstream branching.)

In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy
would probably have been the "right" thing to do if we had anticipated
these issues. But we didn't, and it seems very late in the release
process to do it now. Also, I can't really see us applying anything but
the targeted fix for squeeze.

I see Fedora/RedHat also upgraded their Locale::Maketext modules without
incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and
Fedora Core 16 & 17 / Perl 5.14.3). So it looks like even if we do try
to fix this for wheezy, applications still have to check for features
rather than versions to stay on the safe side.
-- 
Niko Tyni   ntyni@debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Wed, 03 Apr 2013 18:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 03 Apr 2013 18:30:04 GMT) Full text and rfc822 format available.

Message #90 received at 695224@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 695224@bugs.debian.org
Cc: debian-release@lists.debian.org, team@security.debian.org
Subject: Re: Bug#695224: Locale::Maketext versioning in perl package
Date: Wed, 3 Apr 2013 20:26:11 +0200
[Message part 1 (text/plain, inline)]
On Sun, 31 Mar 2013 17:46:12 +0100, Dominic Hargreaves wrote:

> I've attached a diff which implements the change in question. I haven't
> carried out extensive testing yet, but the package builds fine. The same
> change is in the dom/locale-maketext-version branch of the git repository
> at <http://anonscm.debian.org/gitweb/?p=perl/perl.git>.

/*
Disclaimers: My ony affialiation with the release team is that I'm a
happy "customer", and I also don't know locale-maketext specifically.
*/

I looked at this patch twice now, and I don't see a single change to
actual code; just $VERSION/hashes, a bit of POD, and some test
changes. Provided that the tests still work the changes seem very low
risk.

(Like Dominic I'm unsure if this should count as RC or wheezy-worth
otherwise, just wanted to give the patch another pair of eyes.)


Cheers,
gregor


-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Misha Alperin: Ironical Evening
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Sun, 07 Apr 2013 12:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 07 Apr 2013 12:24:04 GMT) Full text and rfc822 format available.

Message #95 received at 695224@bugs.debian.org (full text, mbox):

From: Niels Thykier <niels@thykier.net>
To: Niko Tyni <ntyni@debian.org>
Cc: Dominic Hargreaves <dom@earth.li>, 695224@bugs.debian.org, debian-release@lists.debian.org, team@security.debian.org, gregor herrmann <gregoa@debian.org>
Subject: Re: Bug#695224: Locale::Maketext versioning in perl package
Date: Sun, 07 Apr 2013 14:12:46 +0200
On 2013-04-02 21:15, Niko Tyni wrote:
> On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote:
>  
>> There is a problem with the perl package, as discussed in 
>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55>
>> onwards, whereby the application of the security fix in that ticket
>> now causes double-escaping problems where people workaround the problem
>> by escaping themselves, when they detect an earlier Locale::Maketext
>> by version number.
>>
>> I am slightly wary about importing the new (1.23) version of
>> Locale::Maketext as I mentioned in that bug already, but my fears may
>> be unfounded. Could you comment about whether you would accept such
>> a change in wheezy at this time? (I can't really decide whether it's
>> RC or not).
> 
> FWIW, it looks clear to me that the only functional changes in the patch
> are the $VERSION increments in the .pm files. The rest is documentation
> and test cases, and the only important $VERSION is most probably
> the main one in Locale/Maketext.pm.
> 

Indeed.

> While that change itself is trivial, it has action-at-distance effects -
> otherwise this wouldn't be an issue at all. I think the risk potential
> is mostly in breaking something that's trusting Module::CoreList
> (dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might
> be affected somehow too?), and that it's not a very big risk but still
> a real one.
> 

Lintian uses a precomputed static list.  It would at worst lead to
"false-negatives" for "package-superseded-by-perl" (i.e. no tag when one
should have been there).
  I suspect dh-make-perl will have a similar case with using the "cpan"
variant instead of the "core" variant in dependencies (though I only
gave it a quick scan).

I would suspect that any application code using Module::CoreList would
still have to account for the "cpan" version being present?

> [...]
> 
> In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy
> would probably have been the "right" thing to do if we had anticipated
> these issues. But we didn't, and it seems very late in the release
> process to do it now. Also, I can't really see us applying anything but
> the targeted fix for squeeze.
> 

I am tempted to take this fix for Wheezy and be done with it.  Can (one
of) you please check up on CPAN.pm/CPANPLUS.pm ?

> I see Fedora/RedHat also upgraded their Locale::Maketext modules without
> incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and
> Fedora Core 16 & 17 / Perl 5.14.3). So it looks like even if we do try
> to fix this for wheezy, applications still have to check for features
> rather than versions to stay on the safe side.
> 

Okay, sounds like it will be fine with leaving Squeeze as is then.

~Niels





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#695224; Package perl-modules. (Wed, 10 Apr 2013 18:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Wed, 10 Apr 2013 18:45:04 GMT) Full text and rfc822 format available.

Message #100 received at 695224@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: debian-release@lists.debian.org
Cc: 695224@bugs.debian.org, team@security.debian.org, gregor herrmann <gregoa@debian.org>
Subject: Re: Bug#695224: Locale::Maketext versioning in perl package
Date: Wed, 10 Apr 2013 21:44:07 +0300
On Sun, Apr 07, 2013 at 02:12:46PM +0200, Niels Thykier wrote:
> > On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote:
> >  
> >> There is a problem with the perl package, as discussed in 
> >> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55>
> >> onwards, whereby the application of the security fix in that ticket
> >> now causes double-escaping problems where people workaround the problem
> >> by escaping themselves, when they detect an earlier Locale::Maketext
> >> by version number.
> >>
> >> I am slightly wary about importing the new (1.23) version of
> >> Locale::Maketext as I mentioned in that bug already, but my fears may
> >> be unfounded. Could you comment about whether you would accept such
> >> a change in wheezy at this time? (I can't really decide whether it's
> >> RC or not).
 
> I would suspect that any application code using Module::CoreList would
> still have to account for the "cpan" version being present?

Yes, I too think that should be expected.

> I am tempted to take this fix for Wheezy and be done with it.  Can (one
> of) you please check up on CPAN.pm/CPANPLUS.pm ?

Sorry for the delay and thanks for looking at this.

I just tested installing Locale-Maketext-Utils-0.36 from CPAN, as it
requires Locale::Maketext 1.22 or greater. I saw no problems with either
cpan or cpanp: with perl/5.14.2-20 from sid/wheezy a newer Locale-Maketext
gets pulled in from CPAN, but with Dominic's patch the system version
satisfies the requirement as expected. That's good enough for me.

So, can we consider the patch pre-approved?

> > I see Fedora/RedHat also upgraded their Locale::Maketext modules without
> > incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and
> > Fedora Core 16 & 17 / Perl 5.14.3). So it looks like even if we do try
> > to fix this for wheezy, applications still have to check for features
> > rather than versions to stay on the safe side.

> Okay, sounds like it will be fine with leaving Squeeze as is then.

Ack on my part.

Thanks again,
-- 
Niko Tyni   ntyni@debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Thu, 11 Apr 2013 16:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 11 Apr 2013 16:33:04 GMT) Full text and rfc822 format available.

Message #105 received at 695224@bugs.debian.org (full text, mbox):

From: Niels Thykier <niels@thykier.net>
To: Niko Tyni <ntyni@debian.org>
Cc: debian-release@lists.debian.org, 695224@bugs.debian.org, team@security.debian.org, gregor herrmann <gregoa@debian.org>
Subject: Re: Bug#695224: Locale::Maketext versioning in perl package
Date: Thu, 11 Apr 2013 18:30:00 +0200
On 2013-04-10 20:44, Niko Tyni wrote:
> On Sun, Apr 07, 2013 at 02:12:46PM +0200, Niels Thykier wrote:
>>> [...]
>> I am tempted to take this fix for Wheezy and be done with it.  Can (one
>> of) you please check up on CPAN.pm/CPANPLUS.pm ?
> 
> Sorry for the delay and thanks for looking at this.
> 
> I just tested installing Locale-Maketext-Utils-0.36 from CPAN, as it
> requires Locale::Maketext 1.22 or greater. I saw no problems with either
> cpan or cpanp: with perl/5.14.2-20 from sid/wheezy a newer Locale-Maketext
> gets pulled in from CPAN, but with Dominic's patch the system version
> satisfies the requirement as expected. That's good enough for me.
> 
> So, can we consider the patch pre-approved?
> 
> [...]
> 

Yes, please go ahead.

~Niels





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#695224; Package perl-modules. (Fri, 12 Apr 2013 13:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Fri, 12 Apr 2013 13:00:04 GMT) Full text and rfc822 format available.

Message #110 received at 695224@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Niels Thykier <niels@thykier.net>, 695224@bugs.debian.org
Cc: debian-release@lists.debian.org, team@security.debian.org, gregor herrmann <gregoa@debian.org>
Subject: Re: Bug#695224: Locale::Maketext versioning in perl package
Date: Fri, 12 Apr 2013 15:58:01 +0300
On Thu, Apr 11, 2013 at 06:30:00PM +0200, Niels Thykier wrote:
> On 2013-04-10 20:44, Niko Tyni wrote:

> > So, can we consider the patch pre-approved?

> Yes, please go ahead.

5.14.2-21 uploaded, mostly built, and apparently already unblocked.
Thanks!
-- 
Niko Tyni   ntyni@debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#695224; Package perl-modules. (Fri, 12 Apr 2013 14:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Fri, 12 Apr 2013 14:51:04 GMT) Full text and rfc822 format available.

Message #115 received at 695224@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Paul Harvey <csirac2@gmail.com>, 695224@bugs.debian.org
Cc: foswiki-svn@lists.sourceforge.net, foswiki-security@lists.sourceforge.net
Subject: Re: Bug#695224: perl-modules: Locale::Maketext code injection
Date: Fri, 12 Apr 2013 15:46:43 +0100
On Sat, Mar 30, 2013 at 10:49:04PM +1100, Paul Harvey wrote:
> Thanks Dominic for your pragmatic feedback,
> 
> On 30/03/13 01:23, Dominic Hargreaves wrote:
> >On Mon, Mar 25, 2013 at 02:00:03PM +1100, Paul Harvey wrote:
> >>consider carefully before use. If the caller can't trust the API
> >>version being reported, what is the point of version numbers in the
> >>first place?
> >I personally think you're slightly overstating this part; in the vast
> >majority of cases where bugfixes are cherry-picked into the Debian perl
> >package and the package version number doesn't get changed, no problems
> >arise. The situation for Locale::Maketext is indeed regrettable and I'm
> 
> The practice you're describing has its place, I'm not saying
> debian-perl is wasting its time - generally speaking.
> 
> But in this instance a breaking change in Locale::Maketext has been
> back-ported. I assume most other fixes which have been backported in
> the past did not fundamentally affect the behaviour of those modules
> (and thus require callers to adapt their code to the new version).
> 
> >arise. The situation for Locale::Maketext is indeed regrettable and I'm
> >sorry we didn't foresee the action-at-a-distance the change has caused,
> >but I don't think we have any practical options at this point, not least
> 
> I guess I'm struggling to get my head around that statement: the
> only, *single* line of code (i.e. apart from
> whitespace/comments/pod) in Maketext.pm which differs with upstream
> 1.23 is now the $VERSION line.
> 
> >to get the release team's opinion on any further changes (such as pulling
> >in the updated Locale::Maketext verbatim).
> 
> I wouldn't be making this noise if I didn't think we already have it
> essentially verbatim already - sans comment/pod lines and the
> $VERSION.
> 
> >In general bug-fixes in Debian are pulled in as minimal fixes
> >without changing the version number. The dual-lived modules in
> >perl make this all the more complex, especially when the modules
> >don't get the security fixes in core (maint-5.14 still has
> >Locale::Maketext 1.19). If we did decide to update the version
> >number of the module in Debian's perl package, notwithstanding the
> >technical breakage likely to result when it comes to the packaging
> >infrastructure and Module::Corelist, I wouldn't be surprised if it
> >resulted in people wondering why we were deviating from the
> >upstream versioning. (This impedance mismatch is in related to the
> >fact that perl upstream are more keen to point people at the
> >CPANed version of modules for bugfixes, whilst in Debian packaging
> >the CPAN version of a module incurs more overhead, so is less
> >preferred. I don't claim to know the right way to deal with this
> >problem, now or in future, but hopefully I've managed to
> >communicate that I don't see an 'obvious' solution. Again, I
> >welcome comments from other readers. Dominic.
> 
> Ok. I can only trust your judgment on this. From my (naive)
> perspective, it seems we're creating avoidable bugs for the sake
> of... I'm not sure. Probably, I really should try to join
> debian-perl somehow so that I can get my head around the
> infrastructure and processes which have lead to this.

Hi Paul,

You can see the full bug log[1] for some continued discussion about this,
but in summary: perl 5.14.2-21, uploaded to Debian today, includes the
real Locale::Maketext 1.23, and this should hit wheezy.

I'd like to draw your attention to [2] where Niko notes that both Fedora
and RHEL contain the fix without the version bump, so you probably need
to keep the heuristic for a while (or persue them for a similar fix to
Debian).

Cheers,
Dominic.

[1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224>
[2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#85>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 11 May 2013 07:28:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:36:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.