On Tue, Oct 17, 2017 at 05:44:26PM +0200, gregor herrmann wrote: > Package: dh-make-perl > Version: 0.95 > Severity: serious > Tags: buster sid > Justification: fails to build from source
> As first seen on ci.debian.net, dh-make-perl's test suite fails with > libdpkg-perl 1.19.0 and 1.19.0.1: > > Insecure dependency in eval while running with -T switch at > /usr/share/perl5/Dpkg/Vendor.pm line 164. > The -T seems to come from t/debian-version.t itself; no idea yet why > it is a problem now and why it's used here in the first place. It looks like Dpkg::Vendor::get_vendor_info() contents have become tainted, probably due to changes in Dpkg::Control::HashCore. It used to dig the values out with regexp captures but now uses split. https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=sid&id=9e5e03e9a6ddf74bb22ffc5ea8794a14a592d6b6 A test case is perl -T -MDpkg::Vendor=get_vendor_info -MScalar::Util=tainted -e 'die if tainted get_vendor_info()->{Vendor}' which dies on libdpkg-perl 1.19.0.1 but not 1.18.24. I don't know if the earlier untainting was accidental or intended. Copying the dpkg maintainers. Hope this helps a bit, -- Niko
