Your message dated Fri, 06 Jun 2025 13:02:39 +0000 with message-id <e1unwiv-00dbhs...@fasolo.debian.org> and subject line Bug#1107154: fixed in postgresql-common 248+deb12u1 has caused the Debian Bug report #1107154, regarding /usr/share/perl5/PgCommon.pm: Newer perl breaks postgresql-common to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1107154: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107154 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: postgresql-client-common Version: 248 Severity: normal File: /usr/share/perl5/PgCommon.pm X-Debbugs-Cc: uklei...@debian.org Hello, after upgrading this mixed stable/testing system postgresql@15-main failed to start with: Jun 02 13:00:31 sleazy systemd[1]: Starting postgresql@15-main.service - PostgreSQL Cluster 15-main... Jun 02 13:00:32 sleazy postgresql@15-main[5018]: Insecure directory in $ENV{PATH} while running with -T switch at /usr/share/perl5/PgCommon.pm line 1276. Jun 02 13:00:32 sleazy systemd[1]: postgresql@15-main.service: Can't open PID file '/run/postgresql/15-main.pid' (yet?) after start: No such file or directory Jun 02 13:00:32 sleazy systemd[1]: postgresql@15-main.service: Failed with result 'protocol'. Jun 02 13:00:32 sleazy systemd[1]: Failed to start postgresql@15-main.service - PostgreSQL Cluster 15-main. The problem is the following sequence in /usr/share/perl5/PgCommon.pm: $ENV{'PATH'} = ''; # part of prepare_exec my $groups = "$gid " . `/usr/bin/id -G $uname`; and it's indeed bad because this seems to be interpreted as PATH=".". On a Debian 12 system (here: people.d.o): ukleinek@paradis:~$ echo "echo tralala" > tra ukleinek@paradis:~$ chmod u+x tra ukleinek@paradis:~$ perl -T -e '$ENV{"PATH"} = ""; print(`tra`);' tralala The fix is https://salsa.debian.org/postgresql/postgresql-common/-/commit/653530a168ea8124b0bfd9ffca0bbfd1acc2d1cd . While this is fixed for Debian 13, Debian 12 is broken in this regard. (Well postgresql only fails to start with a newer perl, but having "." in PATH is worth fixing, too.) I'm unsure if this justifies a higher severity than normal. I suggest to fix it for stable quickly before someone comes up with a way to exploit it :-) Best regards Uwe -- System Information: Debian Release: 13.0 APT prefers stable-security APT policy: (700, 'stable-security'), (700, 'stable-debug'), (700, 'stable'), (650, 'testing-debug'), (650, 'testing'), (600, 'unstable'), (500, 'unstable-debug'), (1, 'experimental') Architecture: arm64 (aarch64) Kernel: Linux 6.12.27-arm64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_CRAP Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages postgresql-client-common depends on: ii netbase 6.4 ii perl 5.40.1-3 postgresql-client-common recommends no packages. postgresql-client-common suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: postgresql-common Source-Version: 248+deb12u1 Done: Christoph Berg <m...@debian.org> We believe that the bug you reported is fixed in the latest version of postgresql-common, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1107...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Berg <m...@debian.org> (supplier of updated postgresql-common package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 03 Jun 2025 15:03:54 +0200 Source: postgresql-common Architecture: source Version: 248+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgre...@tracker.debian.org> Changed-By: Christoph Berg <m...@debian.org> Closes: 1107154 Changes: postgresql-common (248+deb12u1) bookworm; urgency=medium . * PgCommon.pm: Set defined path in prepare_exec. Fixes compatibility with trixie's perl version, and also a mild security issue. Thanks Niko Tyni! (Closes: #1107154) Checksums-Sha1: b0ff548c6ea0ea0960f6f3f63d26836a90423f48 2415 postgresql-common_248+deb12u1.dsc 9c4c5fa4755f4a97227f6f5b1a13a84bef9746be 208852 postgresql-common_248+deb12u1.tar.xz Checksums-Sha256: be310d4ceba44176b4ce30634de36a6f439a4ee8ccd1589338fb9255d6c7a1f0 2415 postgresql-common_248+deb12u1.dsc a1df122f7fad00cf41d03503abd5e53eb72eade405c6dd8abaa77067f0144bf9 208852 postgresql-common_248+deb12u1.tar.xz Files: 88d49f40fe4ef639b9b1e62914d246e6 2415 database optional postgresql-common_248+deb12u1.dsc 8a00cce09dba1b91f64f42f46589d2dd 208852 database optional postgresql-common_248+deb12u1.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmg+88IACgkQTFprqxLS p67mzhAArtnjmeg2R13rA1xD20lHYDY2uKeilwb1ERvGh706LjE2L2xUVTxGtr5S crIWw40tLc55YT5hISi4w5iP0wDku5Pd21ecCZogc+6sLyRyZANVaWs6e+euotCF GW5mbaWMwoJYyARKobt3rl8rL1AB3fJvYOVLOxP1OQEVdK7ccr8NOLgdE1juVnlN GisO1FMcSFbCiV3sPER3B8DbMaOpTBv3RmxMNJA2C38hrT6WlhVA/dWYoS4j8EjE a03/2PAnX7ISsJN1seZ24YW3B7WsKN1526qqbIX06ZzWeL0Qpv/DwOBKSIEcdpYu csbI49cIGKUg2dpziFBYIVI3CjDBAcHSMD0tqITkxVpClGPX/SfbM6srs41jBfPq h24K9QMX5iViR4PxiXi0CJHLz+kVe9E6WjmpJgcrOI8ImxZoSOH2AbwG2J7yRGn4 UiNce97wZBogVPqBGyk0nacerSMzth8sdTY0UCq62OdcJwrg4A5sgX0+zbZHTdQF frUrmKGLQl/DsSpOU1I8TNg7OX2DtU1+y6Czr4r/g4nO91nJX2fK/wEkq77kozZa t0fiEJMrN2PG0cGqq81xPM+4SGC6qT36D5EYy8pSA8gO2agY0eDJFwWVnB3PYoQE d3tDF+wI+fbEoC6pPJhLmIWkYNk/7gs32mdtq1WWkPeZhQ6f6JM= =mXa7 -----END PGP SIGNATURE-----
pgpeEbj8lKYZ0.pgp
Description: PGP signature
--- End Message ---
