CVE-2016-1238 fix breaks (at least) pg_rewind tests - Mailing list pgsql-hackers
| From | Andres Freund |
|---|---|
| Subject | CVE-2016-1238 fix breaks (at least) pg_rewind tests |
| Date | |
| Msg-id | 20160908204529.flg6nivjuwp5vaoy@alap3.anarazel.de Whole thread Raw |
| Responses |
Re: CVE-2016-1238 fix breaks (at least) pg_rewind tests
|
| List | pgsql-hackers |
Hi,
On Debian unstable I just got a failure when running the regression
tests:
andres@alap4:~/build/postgres/dev-assert/vpath/src/bin/pg_rewind$ make check
rm -rf '/home/andres/build/postgres/dev-assert/vpath'/tmp_install
/bin/mkdir -p '/home/andres/build/postgres/dev-assert/vpath'/tmp_install/log
make -C '../../..' DESTDIR='/home/andres/build/postgres/dev-assert/vpath'/tmp_install install
>'/home/andres/build/postgres/dev-assert/vpath'/tmp_install/log/install.log2>&1
rm -rf /home/andres/build/postgres/dev-assert/vpath/src/bin/pg_rewind/tmp_check/log
cd /home/andres/src/postgresql/src/bin/pg_rewind &&
TESTDIR='/home/andres/build/postgres/dev-assert/vpath/src/bin/pg_rewind'
PATH="/home/andres/build/postgres/dev-assert/vpath/tmp_install/home/andres/build/postgres/dev-assert//install/bin:$PATH"
LD_LIBRARY_PATH="/home/andres/build/postgres/dev-assert/vpath/tmp_install/home/andres/build/postgres/dev-assert//install/lib"
PGPORT='65432'
PG_REGRESS='/home/andres/build/postgres/dev-assert/vpath/src/bin/pg_rewind/../../../src/test/regress/pg_regress'prove
-I/home/andres/src/postgresql/src/test/perl/ --verbose t/*.pl
t/001_basic.pl ............
1..8
Can't locate RewindTest.pm in @INC (you may need to install the RewindTest module) (@INC contains:
/home/andres/src/postgresql/src/test/perl/etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2
/usr/local/share/perl/5.22.2/usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22
/usr/share/perl/5.22/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at t/001_basic.pl line 6.
BEGIN failed--compilation aborted at t/001_basic.pl line 6.
# Looks like your test exited with 2 before it could output anything.
Dubious, test returned 2 (wstat 512, 0x200)
Debian's perl changelog says:
perl (5.22.2-3) unstable; urgency=high
* [SECURITY] CVE-2016-1238: opportunistic loading of optional modules can make many programs unintentionally load
code from the current working directory (which might be changed to another directory without the user realising).
+allow user configurable removal of "." from @INC in /etc/perl/sitecustomize.pl for a transitional period. (See:
#588017) + backport patches from [perl #127834] to fix known vulnerabilities even if the user does not configure
"."to be removed from @INC + backport patches from [perl #127810] to fix various classes of build failures in
perland CPAN modules if "." is removed from @INC
and sitecustomize notes:
# This script is only provided as a transition mechanism for
# removing the current working directory from the library search path
# while leaving a temporary way to override this locally.
#
# If you really need "." to be on @INC globally, you can comment
# this away for now. However, please note that this facility
# is expected to be removed after the Debian stretch release,
# at which point any code in this file will not have any effect.
#
# Please see CVE-2016-1238 for background information on the risks
# of having "." on @INC.
pop @INC if $INC[-1] eq '.' and !$ENV{PERL_USE_UNSAFE_INC};
ISTM that the easiest fix is to just tack -I '$(srcdir)' into the prove
flags like:
PROVE = @PROVE@
PG_PROVE_FLAGS = -I $(top_srcdir)/src/test/perl/ -I '$(srcdir)'
PROVE_FLAGS = --verbose
I don't think there's any security concerns for us here.
Greetings,
Andres Freund
pgsql-hackers by date: