Bug 26386 - Template-Toolkit 2.28 doesn't work correctly with perl 5.26 or newer
Summary: Template-Toolkit 2.28 doesn't work correctly with perl 5.26 or newer
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: Mageia 7
Assignee: Shlomi Fish
QA Contact:
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-28 13:20 CET by Frédéric "LpSolit" Buclin
Modified: 2020-03-31 14:39 CEST (History)
1 user (show)

See Also:
Source RPM: perl-Template-Toolkit-2.280.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments
Fix taint issue in Template/Provider.pm (397 bytes, patch)
2020-03-28 13:20 CET, Frédéric "LpSolit" Buclin
Details | Diff

Description Frédéric "LpSolit" Buclin 2020-03-28 13:20:02 CET
Created attachment 11566 [details]
Fix taint issue in Template/Provider.pm

As reported upstream [1] (and first discovered by the GCC team [2]), Bugzilla doesn't work correctly when used with the 2.x version of Template-Toolkit on newer versions of perl (2.26 and newer). Upgrading to version 3.000 or higher fixes the problem. As reported on github [3], TT 3 has a taint issue, and so a trivial fix is needed to stop filling the web server log. I attached a patch which fixes the problem.


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1625554
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94349
[3] https://github.com/abw/Template2/issues/258
David Walser 2020-03-28 16:04:11 CET

CC: (none) => thierry.vignaud
Assignee: bugsquad => shlomif

Comment 1 Frédéric "LpSolit" Buclin 2020-03-31 12:34:50 CEST
I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for that! Meanwhile, 3.008 has been released which fixes this taint issue, and it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so that we don't need our own hack anymore?
Comment 2 Shlomi Fish 2020-03-31 14:39:18 CEST
(In reply to Frédéric "LpSolit" Buclin from comment #1)
> I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for
> that! Meanwhile, 3.008 has been released which fixes this taint issue, and
> it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so
> that we don't need our own hack anymore?

built 3.008 for 7/updates-testing, thanks! http://pkgsubmit.mageia.org/ .

Note You need to log in before you can comment on or make changes to this bug.