1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • Bug#1101887: bookworm-pu: package libsub-handlesvia-perl/0.050000-1+deb

    From Salvatore Bonaccorso@21:1/5 to All on Tue Apr 1 22:00:02 2025
    XPost: linux.debian.bugs.dist, linux.debian.maint.perl

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: [email protected], [email protected], [email protected], [email protected]
    Control: affects -1 + src:libsub-handlesvia-perl
    User: [email protected]
    Usertags: pu

    Hi Stable release managers,

    [ Reason ]
    libsub-handlesvia-perl in buster is prone as well to CVE-2025-30673.
    The vulnerability has its origin in Mite (not packaged, but it is used
    in upstream projects to generate code, as used in
    libsub-handlesvia-perl) and has assigned a dedicated CVE,
    CVE-2025-30672. Mite until the fixed version did generate code with
    the current working directory added to the @INC path (which is similar
    to CVE-2016-1238).

    The issue was assessed to not warrant a DSA, so I'm proposing to fix
    the issue via the next point release.

    [ Impact ]
    A local attacher can place malicious code in the current working
    directory when code using Sub::HandlesVia, which may result in
    arbitrary code execution.

    [ Tests ]
    Testsuite run in the package (not specific to the CVE) and done some
    additional manual testing with the updated package.

    [ Risks ]
    The fix is taken from upstream and is targeted to avoid adding '.' to
    @INC (from the generated code from Mite). We will have additional CI
    runs when sheduling the update via the point release.

    [ Checklist ]
    [x] *all* changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in (old)stable
    [x] the issue is verified as fixed in unstable

    [ Changes ]
    Uses code generated with the fixed version of Mite (to address
    CVE-2025-30672 in Mite).

    Regards,
    Salvatore

    diff -Nru libsub-handlesvia-perl-0.050000/debian/changelog libsub-handlesvia-perl-0.050000/debian/changelog
    --- libsub-handlesvia-perl-0.050000/debian/changelog 2023-04-09 17:56:06.000000000 +0200
    +++ libsub-handlesvia-perl-0.050000/debian/changelog 2025-04-01 21:26:03.000000000 +0200
    @@ -1,3 +1,10 @@
    +libsub-handlesvia-perl (0.050000-1+deb12u1) bookworm; urgency=medium
    +
    + * Team upload.
    + * use newer Mite (CVE-2025-30673)
    +
    + -- Salvatore Bonaccorso <[email protected]> Tue, 01 Apr 2025 21:26:03 +0200 +
    libsub-handlesvia-perl (0.050000-1) unstable; urgency=medium

    * Team upload.
    diff -Nru libsub-handlesvia-perl-0.050000/debian/patches/series libsub-handlesvia-perl-0.050000/debian/patches/series
    --- libsub-handlesvia-perl-0.050000/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
    +++ libsub-handlesvia-perl-0.050000/debian/patches/series 2025-04-01 21:26:03.000000000 +0200
    @@ -0,0 +1 @@
    +use-newer-Mite.patch
    diff -Nru libsub-handlesvia-perl-0.050000/debian/patches/use-newer-Mite.patch libsub-handlesvia-perl-0.050000/debian/patches/use-newer-Mite.patch
    --- libsub-handlesvia-perl-0.05
  • From Debian Bug Tracking System@21:1/5 to All on Sat May 17 11:50:09 2025
    This is a multi-part message in MIME format...

    Your message dated Sat, 17 May 2025 09:37:57 +0000
    with message-id <[email protected]>
    and subject line Close 1101887
    has caused the Debian Bug report #1101887,
    regarding bookworm-pu: package libsub-handlesvia-perl/0.050000-1+deb12u1
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
    immediately.)


    --
    1101887: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101887
    Debian Bug Tracking System
    Contact [email protected] with problems

    Received: (at submit) by bugs.debian.org; 1 Apr 2025 19:54:44 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-30.5 required=4.0 tests=BAYES_00,
    BODY_INCLUDES_CONTROL_AFFECTS,BODY_INCLUDES_PACKAGE,FOURLA,
    FROMDEVELOPER,HAS_PACKAGE,KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,
    SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 190; hammy, 150; neutral, 300; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--bookworm,
    0.000-+--H*M:reportbug
    Return-path: <[email protected]>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:35058 helo=eldamar.lan)
    by buxtehude.debi