Bug#833030: perl: use base badly/mistakenly broken by CVE-2016-1238 fix

[Niko Tyni]

On Sun, Jul 31, 2016 at 05:09:43AM +0000, Chris Travers wrote:
> Package: perl
> Version: 5.14.2-21+deb7u4
> Severity: grave
> Justification: renders package unusable

> use base died complaining that base package was empty

> The problem was introduced by the fix noted in the title.  The problem is that although
> use base has a require in the eval, the failure of that require is always fatal, so this
> is not an optional dependency.  Without the security fix everything runs normally.
> 
> But with it, strange, order-dependent side-effects occur.
> 
> For example, assuming that '.' needs to be in @INC, without the patch the following both work:
> 
> use base 'MyBaseClass';
> 
> and
> 
> use MyBaseClass;
> use base 'MyBaseClass';
> 
> The difference of course is that the latter runs MyBaseClass->import()
> 
> With the security fix, the latter still works but the former dies because MyBaseClass
> is empty following the failed effort to require it.
> 
> I would be very surprised if this doesn't break a fair number of CGI-based Perl web 
> apps bundled with Debian, and it isn't in the scope of the original vulnerability
> report.  So the fix should be reversed as applied to this module.
> 
> use base is supposed to follow the same rules as use.  This is now badly broken
> on debian and it needs to be fixed.

Thanks for the report. I'm sorry to hear that this caused problems for you.

The base.pm change was not accidental. It was discussed when these
patches were prepared. The discussion is unfortunately not yet public
so I can't quote or link to it, but in the end the consensus was that
possible breakage was justified for the safety gains.

The problem with base.pm is that it can accidentally try to load modules
from the current directory even when it's not meant to (for instance
when the base class is defined in the same file with the derived one
using base.pm.)

Fixes include explicitly setting the PERL5LIB environment variable,
adding 'use lib "."' to the code, or (most preferably) changing base.pm
usage to parent.pm, with or without the '-norequire' switch.

We are aware that the risk for local breakage was higher than normal
with these updates, but the associated vulnerabilities are bad enough
that this was judged necessary. This should probably be advertised more
prominently; we'll have to think about possible ways to do that.

Any breakage of apps bundled with Debian should be reported to our bug
tracking system, and we (the Perl maintainers) will do what we can to
assist in fixing those.
-- 
Niko Tyni   ntyni at debian.org