On Tue, Jun 28, 2011 at 06:28:52PM +0200, Moritz Muehlenhoff wrote: > On Tue, Jun 28, 2011 at 02:26:27PM +0300, Niko Tyni wrote: > > > But this software must've already been broken with the initial Safe.pm > > > fix for > > > Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168) > > > > No, it's really this fix for CVE-2010-1447 that breaks it. > > > > I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1 > > builds fine without CVE-2010-1447.patch, but applying the patch > > manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case, > > /usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash > > and burn. > > > > I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of > > this; quoting myself in #582978: > > > > Upstream is now at 2.27, which has further related changes and was also > > bundled with Perl 5.12.1. However, it causes regressions in (at least) > > libpetal-perl (#582805) and libtext-micromason-perl (#582892). These > > two regressions don't happen with 2.25. > > > > See also my mail to t...@security.debian.org in January 2011 with > > CVE-2010-1168 in the subject and > > Message-ID: <20110114185338.GA25109@madeleine.local.invalid> > > > > > > Fortunately libtext-micromason-perl isn't a problem in this context: > > - it's not in Lenny at all > > - the Squeeze package got fixed in time, and I've verified the it still > > builds with CVE-2010-1447.patch > > Ahh, I forgot that mail. Personally I would think the perl update is > more important than Petal, which is dead upstream and has hardly > any users in popcon. We can add a note to the DSA, so that people > who really need it can set the old Perl package on hold. If there's > no fix for Petal in the next months it can be removed in a point > update. > > Dominic, Niko, do you agree? I would leave the decision to the Perl > maintainers.
I'm happy with this. I'm CCing the Debian perl group in case there are any additional views there (please see the log at <http://bugs.debian.org/631529> for the full context. Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
