Skip Menu |
 

This queue is for tickets about the File-Path CPAN distribution.

Report information
The Basics
Id: 106077
Status: rejected
Priority: 0/
Queue: File-Path

People
Owner: Nobody in particular
Requestors: RICHE [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)



Subject: RFE: security issue reported from gentoo
From TODO: See if http://bugs.gentoo.org/show_bug.cgi?id=75696 is still relevant.
Download (untitled) / with headers
text/plain 832b
On Sat Jul 25 06:37:11 2015, RICHE wrote: Show quoted text
> From TODO: > > See if http://bugs.gentoo.org/show_bug.cgi?id=75696 is still relevant.
Here's is the patch that was applied in Gentoo: https://bugs.gentoo.org/attachment.cgi?id=47116&action=edit However, the resolution is uncertain. On the one hand, https://bugs.gentoo.org/show_bug.cgi?id=75696 is marked RESOLVED. On the other hand, the final post to the bug ticket -- on Jan 27 2005 -- reads: ##### We applied the RedHat patch (the same Debian applied for DSA-620 and Ubuntu for USN-44) but apparently this is not sufficient to avoid all exploitable race conditions. So this is a new bug, one that currently has no fix... and no CAN number yet, so I'll open another bug about it. ##### It's not clear whether another bug ticket was ever opened. Thank you very much. Jim Keenan
Download (untitled) / with headers
text/plain 1.2k
On Wed Jul 29 22:09:59 2015, JKEENAN wrote: Show quoted text
> On Sat Jul 25 06:37:11 2015, RICHE wrote:
> > From TODO: > > > > See if http://bugs.gentoo.org/show_bug.cgi?id=75696 is still > > relevant.
> > > Here's is the patch that was applied in Gentoo: > > https://bugs.gentoo.org/attachment.cgi?id=47116&action=edit > > However, the resolution is uncertain. On the one hand, > https://bugs.gentoo.org/show_bug.cgi?id=75696 is marked RESOLVED. On > the other hand, the final post to the bug ticket -- on Jan 27 2005 -- > reads: > > ##### > We applied the RedHat patch (the same Debian applied for DSA-620 and > Ubuntu for USN-44) but apparently this is not sufficient to avoid all > exploitable race conditions. So this is a new bug, one that currently > has no fix... and no CAN number yet, so I'll open another bug about > it. > ##### > > It's not clear whether another bug ticket was ever opened. > > Thank you very much. > Jim Keenan
The way I read the ticket is they didn't roll the patch into our distribution, and they're patching through their own release process. How I also read this is the implementation of the fix is incomplete at best. Comparing the patch to the current code base, I see this has been implemented already. If you cross check and agree, I think we can close this RFE as fixed.

I cant find any lines even remotely matching that patch now in the current perl installs.

 

The current patch series ( well, a superset of them ) that is currently applied to vanilla sources by the user-side compile and install process is here, and they seem to have no patches for File::Path

http://dev.gentoo.org/~civil/distfiles/perl-5.22.0-patches-1.tar.xz

 

If you have any specific queries about gentoo perl packaging you can ask informally in #gentoo-perl  on irc.freenode.org




 

Seems no longer an issue.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.