tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: a few broken Perl packages



On Thu, Aug 17, 2017 at 04:39:17PM +0000, Johnny C. Lam wrote:
> I was looking over the most recent Joyent bulk build results and it
> seems the following Perl packages are broken due to the change in
> Perl that removed "." from @INC.  Can someone who understands Perl
> take a look at the following six packages and fix them before the
> next pkgsrc quarterly branch?
> 
> 	chat/inspircd [1]
> 	chat/inspircd12 [2]
> 	devel/p5-PPI-PowerToys [3]
> 	sysutils/p5-Monitoring-Plugin [4]
> 	textproc/p5-Text-Xslate [5]
> 	www/SpeedyCGI [6]
> 
> [1] https://goo.gl/BeSWwQ
> [2] https://goo.gl/mJdMYk
> [3] https://goo.gl/K7WDEX
> [4] https://goo.gl/aRdYAd
> [5] https://goo.gl/TF6cmj
> [6] https://goo.gl/TqQSyH

I've made a mass commit to about 100 packages to set an environment
MAKE_ENV+=PERL_USE_UNSAFE_INC=1. it's a temporary hack they have.
looks like I have missed a few.

It's a subtle security issue that INC includes cwd (if it is setuid
root etc.) so they have done it, but there's loooots of perl.

python still does the unsaf einclude btw.


Home | Main Index | Thread Index | Old Index