Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: libsub-handlesvia-p...@packages.debian.org, t...@security.debian.org, debian-p...@lists.debian.org, car...@debian.org Control: affects -1 + src:libsub-handlesvia-perl User: release.debian....@packages.debian.org Usertags: pu
Hi Stable release managers, [ Reason ] libsub-handlesvia-perl in buster is prone as well to CVE-2025-30673. The vulnerability has its origin in Mite (not packaged, but it is used in upstream projects to generate code, as used in libsub-handlesvia-perl) and has assigned a dedicated CVE, CVE-2025-30672. Mite until the fixed version did generate code with the current working directory added to the @INC path (which is similar to CVE-2016-1238). The issue was assessed to not warrant a DSA, so I'm proposing to fix the issue via the next point release. [ Impact ] A local attacher can place malicious code in the current working directory when code using Sub::HandlesVia, which may result in arbitrary code execution. [ Tests ] Testsuite run in the package (not specific to the CVE) and done some additional manual testing with the updated package. [ Risks ] The fix is taken from upstream and is targeted to avoid adding '.' to @INC (from the generated code from Mite). We will have additional CI runs when sheduling the update via the point release. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Uses code generated with the fixed version of Mite (to address CVE-2025-30672 in Mite). Regards, Salvatore
diff -Nru libsub-handlesvia-perl-0.050000/debian/changelog libsub-handlesvia-perl-0.050000/debian/changelog --- libsub-handlesvia-perl-0.050000/debian/changelog 2023-04-09 17:56:06.000000000 +0200 +++ libsub-handlesvia-perl-0.050000/debian/changelog 2025-04-01 21:26:03.000000000 +0200 @@ -1,3 +1,10 @@ +libsub-handlesvia-perl (0.050000-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * use newer Mite (CVE-2025-30673) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 01 Apr 2025 21:26:03 +0200 + libsub-handlesvia-perl (0.050000-1) unstable; urgency=medium * Team upload. diff -Nru libsub-handlesvia-perl-0.050000/debian/patches/series libsub-handlesvia-perl-0.050000/debian/patches/series --- libsub-handlesvia-perl-0.050000/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libsub-handlesvia-perl-0.050000/debian/patches/series 2025-04-01 21:26:03.000000000 +0200 @@ -0,0 +1 @@ +use-newer-Mite.patch diff -Nru libsub-handlesvia-perl-0.050000/debian/patches/use-newer-Mite.patch libsub-handlesvia-perl-0.050000/debian/patches/use-newer-Mite.patch --- libsub-handlesvia-perl-0.050000/debian/patches/use-newer-Mite.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsub-handlesvia-perl-0.050000/debian/patches/use-newer-Mite.patch 2025-04-01 21:26:03.000000000 +0200 @@ -0,0 +1,530 @@ +From: Toby Inkster <m...@tobyinkster.co.uk> +Date: Mon, 31 Mar 2025 12:31:51 +0100 +Subject: use newer Mite +Origin: https://github.com/tobyink/p5-sub-handlesvia/commit/9bc3cfb22ade4b407413ae1c746bb331fff52954 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-30673 + +--- + lib/Sub/HandlesVia/CodeGenerator.pm.mite.pm | 8 +- + lib/Sub/HandlesVia/Handler.pm.mite.pm | 74 +++++++++---------- + lib/Sub/HandlesVia/Mite.pm | 24 +++--- + lib/Sub/HandlesVia/Toolkit.pm.mite.pm | 6 +- + lib/Sub/HandlesVia/Toolkit/Mite.pm.mite.pm | 2 +- + lib/Sub/HandlesVia/Toolkit/Moo.pm.mite.pm | 2 +- + lib/Sub/HandlesVia/Toolkit/Moose.pm.mite.pm | 2 +- + lib/Sub/HandlesVia/Toolkit/Mouse.pm.mite.pm | 2 +- + .../HandlesVia/Toolkit/ObjectPad.pm.mite.pm | 2 +- + lib/Sub/HandlesVia/Toolkit/Plain.pm.mite.pm | 2 +- + 10 files changed, 65 insertions(+), 59 deletions(-) + +diff --git a/lib/Sub/HandlesVia/CodeGenerator.pm.mite.pm b/lib/Sub/HandlesVia/CodeGenerator.pm.mite.pm +index 602362f1617a..fdfd52c126fe 100644 +--- a/lib/Sub/HandlesVia/CodeGenerator.pm.mite.pm ++++ b/lib/Sub/HandlesVia/CodeGenerator.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +@@ -67,8 +67,8 @@ + map { "$_\::BUILD" } reverse @$linear_isa + ], + DEMOLISH => [ +- map { ( *{$_}{CODE} ) ? ( *{$_}{CODE} ) : () } +- map { "$_\::DEMOLISH" } @$linear_isa ++ map { ( *{$_}{CODE} ) ? ( *{$_}{CODE} ) : () } ++ map { "$_\::DEMOLISH" } @$linear_isa + ], + HAS_BUILDARGS => $class->can('BUILDARGS'), + HAS_FOREIGNBUILDARGS => $class->can('FOREIGNBUILDARGS'), +@@ -128,7 +128,7 @@ + + package Sub::HandlesVia::Mite; + !ref $args->{"coerce"} +- and (!defined $args->{"coerce"} ++ and ( !defined $args->{"coerce"} + or $args->{"coerce"} eq q() + or $args->{"coerce"} eq '0' + or $args->{"coerce"} eq '1' ); +diff --git a/lib/Sub/HandlesVia/Handler.pm.mite.pm b/lib/Sub/HandlesVia/Handler.pm.mite.pm +index 6d313aa76049..7eac84148115 100644 +--- a/lib/Sub/HandlesVia/Handler.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Handler.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +@@ -67,8 +67,8 @@ + map { "$_\::BUILD" } reverse @$linear_isa + ], + DEMOLISH => [ +- map { ( *{$_}{CODE} ) ? ( *{$_}{CODE} ) : () } +- map { "$_\::DEMOLISH" } @$linear_isa ++ map { ( *{$_}{CODE} ) ? ( *{$_}{CODE} ) : () } ++ map { "$_\::DEMOLISH" } @$linear_isa + ], + HAS_BUILDARGS => $class->can('BUILDARGS'), + HAS_FOREIGNBUILDARGS => $class->can('FOREIGNBUILDARGS'), +@@ -275,7 +275,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -287,7 +287,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -307,7 +307,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -319,7 +319,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -339,7 +339,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -351,7 +351,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -375,7 +375,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -387,7 +387,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -411,7 +411,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -423,7 +423,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -701,7 +701,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -713,7 +713,7 @@ + }; + ( + !ref $default_value +- and (!defined $default_value ++ and ( !defined $default_value + or $default_value eq q() + or $default_value eq '0' + or $default_value eq '1' ) +@@ -940,7 +940,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +@@ -1179,7 +1179,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1191,7 +1191,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1211,7 +1211,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1223,7 +1223,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1243,7 +1243,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1255,7 +1255,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1279,7 +1279,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1291,7 +1291,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1315,7 +1315,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1327,7 +1327,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1492,7 +1492,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +@@ -1747,7 +1747,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1759,7 +1759,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1779,7 +1779,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1791,7 +1791,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1811,7 +1811,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1823,7 +1823,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1847,7 +1847,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1859,7 +1859,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +@@ -1883,7 +1883,7 @@ + ( + ( + !ref $to_coerce +- and (!defined $to_coerce ++ and ( !defined $to_coerce + or $to_coerce eq q() + or $to_coerce eq '0' + or $to_coerce eq '1' ) +@@ -1895,7 +1895,7 @@ + }; + ( + !ref $coerced_value +- and (!defined $coerced_value ++ and ( !defined $coerced_value + or $coerced_value eq q() + or $coerced_value eq '0' + or $coerced_value eq '1' ) +diff --git a/lib/Sub/HandlesVia/Mite.pm b/lib/Sub/HandlesVia/Mite.pm +index e35186f3059d..96c582daa4e4 100644 +--- a/lib/Sub/HandlesVia/Mite.pm ++++ b/lib/Sub/HandlesVia/Mite.pm +@@ -17,13 +17,9 @@ or do { + }; + + # Constants +-sub true () { !!1 } +-sub false () { !!0 } +-sub ro () { 'ro' } +-sub rw () { 'rw' } +-sub rwp () { 'rwp' } +-sub lazy () { 'lazy' } +-sub bare () { 'bare' } ++sub true () { !!1 } sub false () { !!0 } ++sub ro () { 'ro' } sub rw () { 'rw' } sub rwp () { 'rwp' } ++sub lazy () { 'lazy' } sub bare () { 'bare' } + + # More complicated constants + BEGIN { +@@ -109,9 +105,19 @@ sub import { + ); + } + else { ++ # Try to determine original filename for caller, minus libdir. ++ # This would normally be in %INC but caller hasn't finished loading yet. ++ require File::Spec; ++ my $orig = $file; ++ for my $base ( @INC ) { ++ $base eq substr $file, 0, length $base ++ and -f File::Spec->catfile( $base, substr $file, 1 + length $base ) ++ and $orig = File::Spec->abs2rel( $file, $base ) ++ and last; ++ } ++ + # Changes to this filename must be coordinated with Mite::Compiled +- my $mite_file = $file . '.mite.pm'; +- local @INC = ( '.', @INC ); ++ my $mite_file = $orig . '.mite.pm'; + local $@; + if ( not eval { require $mite_file; 1 } ) { + my $e = $@; +diff --git a/lib/Sub/HandlesVia/Toolkit.pm.mite.pm b/lib/Sub/HandlesVia/Toolkit.pm.mite.pm +index df7b5beade61..6185776a0654 100644 +--- a/lib/Sub/HandlesVia/Toolkit.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Toolkit.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +@@ -42,8 +42,8 @@ + map { "$_\::BUILD" } reverse @$linear_isa + ], + DEMOLISH => [ +- map { ( *{$_}{CODE} ) ? ( *{$_}{CODE} ) : () } +- map { "$_\::DEMOLISH" } @$linear_isa ++ map { ( *{$_}{CODE} ) ? ( *{$_}{CODE} ) : () } ++ map { "$_\::DEMOLISH" } @$linear_isa + ], + HAS_BUILDARGS => $class->can('BUILDARGS'), + HAS_FOREIGNBUILDARGS => $class->can('FOREIGNBUILDARGS'), +diff --git a/lib/Sub/HandlesVia/Toolkit/Mite.pm.mite.pm b/lib/Sub/HandlesVia/Toolkit/Mite.pm.mite.pm +index fef68bb66580..e54b784c698a 100644 +--- a/lib/Sub/HandlesVia/Toolkit/Mite.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Toolkit/Mite.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +diff --git a/lib/Sub/HandlesVia/Toolkit/Moo.pm.mite.pm b/lib/Sub/HandlesVia/Toolkit/Moo.pm.mite.pm +index 3b56b2986bc8..6a3db5feb044 100644 +--- a/lib/Sub/HandlesVia/Toolkit/Moo.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Toolkit/Moo.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +diff --git a/lib/Sub/HandlesVia/Toolkit/Moose.pm.mite.pm b/lib/Sub/HandlesVia/Toolkit/Moose.pm.mite.pm +index 8e74fe1fc77a..de3a14de2bf4 100644 +--- a/lib/Sub/HandlesVia/Toolkit/Moose.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Toolkit/Moose.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +diff --git a/lib/Sub/HandlesVia/Toolkit/Mouse.pm.mite.pm b/lib/Sub/HandlesVia/Toolkit/Mouse.pm.mite.pm +index e884a1468a47..c0fe5f8fb0f5 100644 +--- a/lib/Sub/HandlesVia/Toolkit/Mouse.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Toolkit/Mouse.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +diff --git a/lib/Sub/HandlesVia/Toolkit/ObjectPad.pm.mite.pm b/lib/Sub/HandlesVia/Toolkit/ObjectPad.pm.mite.pm +index 29ee1d925c20..73c5ea8645b3 100644 +--- a/lib/Sub/HandlesVia/Toolkit/ObjectPad.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Toolkit/ObjectPad.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +diff --git a/lib/Sub/HandlesVia/Toolkit/Plain.pm.mite.pm b/lib/Sub/HandlesVia/Toolkit/Plain.pm.mite.pm +index f122c702661b..76a744e01046 100644 +--- a/lib/Sub/HandlesVia/Toolkit/Plain.pm.mite.pm ++++ b/lib/Sub/HandlesVia/Toolkit/Plain.pm.mite.pm +@@ -7,7 +7,7 @@ + + our $USES_MITE = "Mite::Class"; + our $MITE_SHIM = "Sub::HandlesVia::Mite"; +- our $MITE_VERSION = "0.012000"; ++ our $MITE_VERSION = "0.013000"; + + # Mite keywords + BEGIN { +-- +2.49.0 +
