Bug#833030: perl: use base badly/mistakenly broken by CVE-2016-1238 fix

Chris Travers chris at efficito.com
Sun Jul 31 05:09:43 UTC 2016 

Package: perl
Version: 5.14.2-21+deb7u4
Severity: grave
Justification: renders package unusable

Dear Maintainer,
*** Please consider answering these questions, where appropriate ***

   * What led up to the situation?

We updated our systems with the latest security patches (and then spent a day debugging)

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Started up CGI apps

   * What was the outcome of this action?

use base died complaining that base package was empty

   * What outcome did you expect instead?

Things to work.

Debugging outcome:

The problem was introduced by the fix noted in the title.  The problem is that although
use base has a require in the eval, the failure of that require is always fatal, so this
is not an optional dependency.  Without the security fix everything runs normally.

But with it, strange, order-dependent side-effects occur.

For example, assuming that '.' needs to be in @INC, without the patch the following both work:

use base 'MyBaseClass';

and

use MyBaseClass;
use base 'MyBaseClass';

The difference of course is that the latter runs MyBaseClass->import()

With the security fix, the latter still works but the former dies because MyBaseClass
is empty following the failed effort to require it.

I would be very surprised if this doesn't break a fair number of CGI-based Perl web 
apps bundled with Debian, and it isn't in the scope of the original vulnerability
report.  So the fix should be reversed as applied to this module.

use base is supposed to follow the same rules as use.  This is now badly broken
on debian and it needs to be fixed.

*** End of the template - remove these lines ***


-- System Information:
Debian Release: 7.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages perl depends on:
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.13-38+deb7u11
ii  libdb5.1      5.1.29-5
ii  libgdbm3      1.8.3-11
ii  perl-base     5.14.2-21+deb7u4
ii  perl-modules  5.14.2-21+deb7u4
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages perl recommends:
ii  netbase  5.0

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | libterm-readline-perl-perl  <none>
ii  make                                                    3.81-8.2
pn  perl-doc                                                <none>

-- no debconf information

More information about the Perl-maintainers mailing list