[gentoo-dev] Pre-emptive apology for perl snafu this afternoon

[gentoo-dev] Pre-emptive apology for perl snafu this afternoon

[Michael Cummings]

[-- Attachment #1: Type: text/plain, Size: 2362 bytes --]

I posted a tested ebuild for perl this afternoon to address an rmtree
vulnerability in File::Path. This ebuild was tested on 3 arches and 6
boxes total without an issue - the patch was to the .pm file, code that
isn't touched by perl until you invoke it with your own perl code (ie,
not compiled code that might be swayed by arch differences, gcc
differences, what have you).

Turns out, though, there was a flaw in my ordering of the patch. The
patched File::Path invokes Errno.pm, which typically isn't created until
after File::Path is built into your perl during the make phase. Because
Errno.pm didn't exist yet in the chroot, it was pulling it from folks'
installed perl. One of the first things in this particular module is to
check that the kernel and platform hardcoded in it at perl build time
match what was used during the original install of your current perl
according to Config.pm. No problem - unless you've changed kernel
versions. Because during the make process the file is sourced by perl,
and during that sourcing (ok, not the right word, but I'm talking to
you, the masses) it attempted to require, or pull in, the Errno.pm, and
failing to find a new one in the unpacked source, it pulled the one on
the main system. And therein began the mess. Two values that would
normally never appear to perl to be out of sync were suddenly horribly
wrong on any box that had had a kernel upgrade since the last perl
install.

This is now fixed by moving the patch to post install in image, but
prior to the install on your filesystem. I have to give thanks to jat, a
user on irc who talked me down a few times and inadvertently gave me the
inspiration to move the patch (rather than the messy solutions I was
considering), and to seemant, who without question or hesitation offered
me root on a broken box so I could properly work this out so quickly.
Without either of them I wouldn't have gotten it so soon.

So for those of you who sync'd this afternoon, please re-sync. If you
tried to emerge perl and got a weird message about kernel versions
mismatching, and want to add your gripes in bug 84868, that's fine, but
sync again and you will be all set.

I have to say, this is the first time in almost two years that I've
managed to break perl. Gotta count for something that its been so long
:)

-Michael

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Pre-emptive apology for perl snafu this afternoon

[Martin Schlemmer]

[-- Attachment #1: Type: text/plain, Size: 1201 bytes --]

On Fri, 2005-03-11 at 17:44 -0500, Michael Cummings wrote:
>  One of the first things in this particular module is to
> check that the kernel and platform hardcoded in it at perl build time
> match what was used during the original install of your current perl
> according to Config.pm. No problem - unless you've changed kernel
> versions. Because during the make process the file is sourced by perl,
> and during that sourcing (ok, not the right word, but I'm talking to
> you, the masses) it attempted to require, or pull in, the Errno.pm, and
> failing to find a new one in the unpacked source, it pulled the one on
> the main system. And therein began the mess. Two values that would
> normally never appear to perl to be out of sync were suddenly horribly
> wrong on any box that had had a kernel upgrade since the last perl
> install.
> 

Just hax0r the stupid beast not to use the kernel version, but only
<arch>-<os> - cant see what the kernel version has to do with it, except
maybe if it calculate it from /usr/include/linux/*, but running kernel
is just silly.


-- 
Martin Schlemmer
Gentoo Linux Developer, Desktop/System Team Developer
Cape Town, South Africa


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]