Skip Menu |

This queue is for tickets about the File-Path CPAN distribution.

Report information
The Basics
Id: 106077
Status: rejected
Priority: 0/
Queue: File-Path

People
Owner: Nobody in particular
Requestors: RICHE [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)



Subject: RFE: security issue reported from gentoo
From TODO: See if http://bugs.gentoo.org/show_bug.cgi?id=75696 is still relevant.
On Sat Jul 25 06:37:11 2015, RICHE wrote: Show quoted text
> From TODO: > > See if http://bugs.gentoo.org/show_bug.cgi?id=75696 is still relevant.
Here's is the patch that was applied in Gentoo: https://bugs.gentoo.org/attachment.cgi?id=47116&action=edit However, the resolution is uncertain. On the one hand, https://bugs.gentoo.org/show_bug.cgi?id=75696 is marked RESOLVED. On the other hand, the final post to the bug ticket -- on Jan 27 2005 -- reads: ##### We applied the RedHat patch (the same Debian applied for DSA-620 and Ubuntu for USN-44) but apparently this is not sufficient to avoid all exploitable race conditions. So this is a new bug, one that currently has no fix... and no CAN number yet, so I'll open another bug about it. ##### It's not clear whether another bug ticket was ever opened. Thank you very much. Jim Keenan
On Wed Jul 29 22:09:59 2015, JKEENAN wrote: Show quoted text
> On Sat Jul 25 06:37:11 2015, RICHE wrote:
> > From TODO: > > > > See if http://bugs.gentoo.org/show_bug.cgi?id=75696 is still > > relevant.
> > > Here's is the patch that was applied in Gentoo: > > https://bugs.gentoo.org/attachment.cgi?id=47116&action=edit > > However, the resolution is uncertain. On the one hand, > https://bugs.gentoo.org/show_bug.cgi?id=75696 is marked RESOLVED. On > the other hand, the final post to the bug ticket -- on Jan 27 2005 -- > reads: > > ##### > We applied the RedHat patch (the same Debian applied for DSA-620 and > Ubuntu for USN-44) but apparently this is not sufficient to avoid all > exploitable race conditions. So this is a new bug, one that currently > has no fix... and no CAN number yet, so I'll open another bug about > it. > ##### > > It's not clear whether another bug ticket was ever opened. > > Thank you very much. > Jim Keenan
The way I read the ticket is they didn't roll the patch into our distribution, and they're patching through their own release process. How I also read this is the implementation of the fix is incomplete at best. Comparing the patch to the current code base, I see this has been implemented already. If you cross check and agree, I think we can close this RFE as fixed.

I cant find any lines even remotely matching that patch now in the current perl installs.

 

The current patch series ( well, a superset of them ) that is currently applied to vanilla sources by the user-side compile and install process is here, and they seem to have no patches for File::Path

http://dev.gentoo.org/~civil/distfiles/perl-5.22.0-patches-1.tar.xz

 

If you have any specific queries about gentoo perl packaging you can ask informally in #gentoo-perl  on irc.freenode.org




 

Seems no longer an issue.