tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: a few broken Perl packages



On Fri, Aug 18, 2017 at 11:31:41AM +0000, coypu%sdf.org@localhost wrote:
> On Thu, Aug 17, 2017 at 04:39:17PM +0000, Johnny C. Lam wrote:
> > I was looking over the most recent Joyent bulk build results and it
> > seems the following Perl packages are broken due to the change in
> > Perl that removed "." from @INC.  Can someone who understands Perl
> > take a look at the following six packages and fix them before the
> > next pkgsrc quarterly branch?
> > 
> > 	chat/inspircd [1]
> > 	chat/inspircd12 [2]
> > 	devel/p5-PPI-PowerToys [3]
> > 	sysutils/p5-Monitoring-Plugin [4]
> > 	textproc/p5-Text-Xslate [5]
> > 	www/SpeedyCGI [6]
> > 
> > [1] https://goo.gl/BeSWwQ
> > [2] https://goo.gl/mJdMYk
> > [3] https://goo.gl/K7WDEX
> > [4] https://goo.gl/aRdYAd
> > [5] https://goo.gl/TF6cmj
> > [6] https://goo.gl/TqQSyH
> 
> I've made a mass commit to about 100 packages to set an environment
> MAKE_ENV+=PERL_USE_UNSAFE_INC=1. it's a temporary hack they have.
> looks like I have missed a few.
> 
> It's a subtle security issue that INC includes cwd (if it is setuid
> root etc.) so they have done it, but there's loooots of perl.

I understand, but I wasn't making a judgment on the security issues
involved with the Perl change.  I was just pointing out those few
packages that seemed to be affected by the change and was hoping
someone could make the correct fix to let them build in the bulk
builds.

I will grep for PERL_USE_UNSAFE_INC in pkgsrc and look for examples.
Thanks for the tip!

Regards,
-- 
Johnny C. Lam
jlam%NetBSD.org@localhost


Home | Main Index | Thread Index | Old Index