Bug#833030: perl: use base badly/mistakenly broken by CVE-2016-1238 fix

[Dominic Hargreaves]

Control: severity -1 important

On Mon, Aug 01, 2016 at 01:53:05PM +0300, Niko Tyni wrote:
> Thanks for the report. I'm sorry to hear that this caused problems for you.
> 
> The base.pm change was not accidental. It was discussed when these
> patches were prepared. The discussion is unfortunately not yet public
> so I can't quote or link to it, but in the end the consensus was that
> possible breakage was justified for the safety gains.
> 
> The problem with base.pm is that it can accidentally try to load modules
> from the current directory even when it's not meant to (for instance
> when the base class is defined in the same file with the derived one
> using base.pm.)
> 
> Fixes include explicitly setting the PERL5LIB environment variable,
> adding 'use lib "."' to the code, or (most preferably) changing base.pm
> usage to parent.pm, with or without the '-norequire' switch.
> 
> We are aware that the risk for local breakage was higher than normal
> with these updates, but the associated vulnerabilities are bad enough
> that this was judged necessary. This should probably be advertised more
> prominently; we'll have to think about possible ways to do that.
> 
> Any breakage of apps bundled with Debian should be reported to our bug
> tracking system, and we (the Perl maintainers) will do what we can to
> assist in fixing those.

The documentation part of this bug is already tracked in #832936; I suspect
there is nothing much more to do here. I'll leave it open in case the
conversation develops further but given upstream's position it seems clear
that this shouldn't be considered release-critical in Debian, so downgrading.
(There seems to be a problem with version tracking making the BTS think that
this is release-critical in every version of perl; reported to the LTS and
BTS teams).

Dominic.