Bug 6024 - perl-Config-IniFiles new security issue CVE-2012-2451
Summary: perl-Config-IniFiles new security issue CVE-2012-2451
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/498230/
Whiteboard: MGA1TOO, mga2-64-OK, mga1-64-OK, mga1...
Keywords: validated_update
Depends on: 2317
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-22 20:59 CEST by David Walser
Modified: 2012-06-27 14:16 CEST (History)
6 users (show)

See Also:
Source RPM: perl-Config-IniFiles-2.660.0-1.mga1.src.rpm
CVE:
Status comment:


Attachments
simple testcase (586 bytes, application/x-zip-compressed)
2012-06-11 12:47 CEST, claire robinson
Details
testcase folder with all needed files (719 bytes, application/x-gzip)
2012-06-18 13:21 CEST, claire robinson
Details
Current QA depcheck script (9.60 KB, application/octet-stream)
2012-06-27 13:13 CEST, claire robinson
Details

Description David Walser 2012-05-22 20:59:01 CEST
Fedora has issued an advisory on May 13:
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080716.html

Cauldron/Mageia 2 are also affected.

Info on how this was fixed upstream is here:
https://bugzilla.redhat.com/show_bug.cgi?id=818386
David Walser 2012-05-22 20:59:22 CEST

CC: (none) => jquelin

Comment 1 Jerome Quelin 2012-05-23 10:36:07 CEST
due to the fact that cauldron was frozen for a very long time, available patch will not apply cleanly.

i propose to update to latest version which fixes the problem.

but i need svn to be branched for that... should happen soon.
Comment 2 Jerome Quelin 2012-05-23 11:05:00 CEST
shlomi, as upstream author of config::inifiles, do you think we should backport the patch, or is an update to 2.73 ok api-wise?

CC: (none) => shlomif

Comment 3 Shlomi Fish 2012-05-23 11:14:29 CEST
Hi Jerome,

(In reply to comment #2)
> shlomi, as upstream author of config::inifiles, do you think we should backport
> the patch, or is an update to 2.73 ok api-wise?

I didn't intentionally break the API, but since I've done a lot of extensive refactoring and cleanup, it is possible that some bugs were introduced, which were not caught by the test suite. I think upgrading to 2.73 should be OK.

Regards,

-- Shlomi Fish
Comment 4 Jerome Quelin 2012-05-28 10:06:41 CEST
updated in cauldron & pushed in mageia 2 core/updates_testing.

please test and push to mageia2 updates

Assignee: bugsquad => qa-bugs

Comment 5 David Walser 2012-05-28 13:12:12 CEST
Jerome, could you please push an update for Mageia 1 as well?
Comment 6 David Walser 2012-05-28 22:33:06 CEST
In the meantime, here's an advisory.

Advisory:
========================

Updated perl-Config-IniFiles package fixes security vulnerability:

perl-Config-IniFiles used a predicatable temporary file name (${filename}-new) which
makes it prone to a symlink attack.  If a malicious user were to create a symlink
pointing to another file writable by the user running an application that used
perl-Config-IniFiles, they could overwrite the contents of that file (CVE-2012-2451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2451
https://bugzilla.redhat.com/show_bug.cgi?id=818386
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080716.html
Comment 7 Dave Hodgins 2012-05-29 08:49:50 CEST
For recreating the bug, I've found that genhdlist2 uses this package.

Contrary to the advisory, running it under strace, after adding a
package to the directory, it uses synthesis.hdlist.cz.tmp and
hdlist.cz.tmp, not $file.new.  This is using Magiea 1 i586.

I'll be setting up my minimal Mageia 2 test environment tomorrow.

CC: (none) => davidwhodgins

Comment 8 Jerome Quelin 2012-05-29 12:56:28 CEST
update available in mageia 1 core/updates_testing
Comment 9 David Walser 2012-05-29 13:01:47 CEST
Thanks Jerome.

Dave, the Mageia 1 update wasn't available yet when you tested.

I didn't post the packages to test with the advisory, so here goes.

Advisory:
========================

Updated perl-Config-IniFiles package fixes security vulnerability:

perl-Config-IniFiles used a predicatable temporary file name
(${filename}-new) which makes it prone to a symlink attack.  If a
malicious user were to create a symlink pointing to another file
writable by the user running an application that used
perl-Config-IniFiles, they could overwrite the contents of that file
(CVE-2012-2451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2451
https://bugzilla.redhat.com/show_bug.cgi?id=818386
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080716.html
========================

Updated packages in core/updates_testing:
========================
perl-Config-IniFiles-2.750.0-1.mga1
perl-Config-IniFiles-2.750.0-1.mga2

from SRPMS:
perl-Config-IniFiles-2.750.0-1.mga1
perl-Config-IniFiles-2.750.0-1.mga2
Comment 10 Dave Hodgins 2012-05-29 19:19:48 CEST
Using perl-Config-IniFiles-2.750.0-1.mga1.noarch on Mga 1 i586, I'm not
seeing any change.
$ grep rename strace.txt
9639  rename("./media_info/hdlist.cz.tmp", "./media_info/hdlist.cz") = 0
9639  rename("./media_info/synthesis.hdlist.cz.tmp", "./media_info/synthesis.hdlist.cz") = 0
Comment 11 Olivier Delaune 2012-05-31 11:27:20 CEST
Installing perl-Config-IniFiles-2.750.0-1.mga2.noarch.rpm on Mageia 2 64-bits and nothing has changed. It seems ok. Is there any particular stuff to check?

CC: (none) => olivier.delaune

Comment 12 claire robinson 2012-06-11 12:47:43 CEST
Created attachment 2449 [details]
simple testcase

This has an ini file and test.pl

'perl test.pl' should find the value of the Tested parameter in section 2, which is 'OK'.

Expected output is 'The test is OK.'
Comment 13 claire robinson 2012-06-11 13:11:21 CEST
Hmm testcase doesn't use any temporary file when viewed under strace so not good for checking that :\
Comment 14 David Walser 2012-06-11 13:23:45 CEST
I just looked at the code.  A testcase would need to call WriteConfig(), as that's the only part of the code that creates a tmp file.
Comment 15 claire robinson 2012-06-11 14:25:51 CEST
So, don't remove it with rpm -e --nodeps as it breaks rpm :\ 

I managed to copy the file from another computer and install it from release again.

One thing David, in doing so I noticed the update installs to a different path. Could you check this is correct please and properly obsoleted if necessary.

# urpmf --media "Core Release" perl-Config-IniFiles                                                             
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.1/Config
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.1/Config/IniFiles.pm
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/Changes
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/META.yml
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/README
perl-Config-IniFiles:/usr/share/man/man3/Config::IniFiles.3pm.xz

# urpmf --media "Core Updates Testing" perl-Config-IniFiles
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.2/Config
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.2/Config/IniFiles.pm
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/Changes
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/META.json
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/META.yml
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/MYMETA.yml
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/README
perl-Config-IniFiles:/usr/share/man/man3/Config::IniFiles.3pm.xz

Thanks.
Comment 16 claire robinson 2012-06-11 14:28:05 CEST
This is mga2 btw
Comment 17 claire robinson 2012-06-11 15:09:13 CEST
Testing mga2 x86_64

Using scripts from 

http://search.cpan.org/~shlomif/Config-IniFiles-2.75/lib/Config/IniFiles.pm 

in the IMPORT/DELTA FEATURES section.

It creates a file called -delta.

Before
------
$ grep delta strace.out
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
open("-delta-new", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
rename("-delta-new", "-delta")          = 0
chmod("-delta", 0664)                   = 0


After
-----
$ grep delta strace.out
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
rename("./temp.ini-BeOaCvUL0R", "-delta") = 0
chmod("-delta", 0664)                   

So it is using an unpredictable temporary filename. It does seem to obsolete the previous version in /usr/lib/perl5/vendor_perl/5.14.1 too.

I get an error running the script which I didn't before. It could be a bug in the script as I don't know perl and just copy/pasted, but it is a regression.

Odd number of elements in hash assignment at /usr/lib/perl5/vendor_perl/5.14.2/Config/IniFiles.pm line 1756.
Comment 18 claire robinson 2012-06-11 15:43:44 CEST
MGA2

This also appears to be affected by bug 2317

There is a regression to urpmf -m which is affecting the depcheck script, but as far as I can tell..

The following packages will require linking:

perl-Archive-Extract
perl-Archive-Tar
perl-CGI
perl-CPANPLUS
perl-CPANPLUS-Dist-Build
perl-ExtUtils-CBuilder
perl-FCGI
perl-List-MoreUtils
perl-Module-Build
perl-Module-CoreList
perl-Time-Piece

Depends on: (none) => 2317

David Walser 2012-06-14 20:56:13 CEST

Version: 1 => 2
Whiteboard: (none) => MGA1TOO

Comment 19 Shlomi Fish 2012-06-15 16:50:49 CEST
Hi,

(In reply to comment #17)
> Testing mga2 x86_64
> 
> Using scripts from 
> 
> http://search.cpan.org/~shlomif/Config-IniFiles-2.75/lib/Config/IniFiles.pm 
> 
> in the IMPORT/DELTA FEATURES section.
> 
> It creates a file called -delta.
> 

This was a bug in the syntax given to the call to ->WriteConfig($filename, -delta => 1) in the documentation, because it requires a valid file name as the first argument. This was fixed in version 2.76, which was just uploaded to CPAN.

Thanks for finding it.

Regards,

-- Shlomi Fish
Comment 20 David Walser 2012-06-17 19:24:45 CEST
Jerome, when you get a chance could you update these to 2.76?  Thanks.
Comment 21 Jerome Quelin 2012-06-18 10:44:17 CEST
updated to 2.76 for mga1 & mga2 in updates_testing.
Comment 22 claire robinson 2012-06-18 13:19:00 CEST
Testing complete x86_64 mga2 for SRPM perl-Config-IniFiles-2.760.0-1.mga2.src.rpm

Before
------
$ grep delta strace.out 
stat("-delta", 0x1857138)               = -1 ENOENT (No such file or directory)
open("-delta-new", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
rename("-delta-new", "-delta")          = 0
chmod("-delta", 0100664)           

Rename line shows a predictable filename being used.


After
-----
Created a new testcase which I'll attach that writes an output.ini file and reads the value of one of the added parameters which should be 'OK'. 

$ strace -o strace.out perl test2.pl && grep rename strace.out
The test is OK.
rename("./temp.ini-Xi8nL5VII1", "output.ini") = 0

The rename shows the unpredictable temp filename being used

$ rm output.ini


The following packages will require linking to workaround bug 2317:

perl-Archive-Extract
perl-Archive-Tar
perl-CGI
perl-CPANPLUS
perl-CPANPLUS-Dist-Build
perl-ExtUtils-CBuilder
perl-FCGI
perl-Module-Build
perl-Module-CoreList
perl-Time-Piece

Whiteboard: MGA1TOO => MGA1TOO, mga2-64-OK

Comment 23 claire robinson 2012-06-18 13:21:46 CEST
Created attachment 2470 [details]
testcase folder with all needed files
Comment 24 claire robinson 2012-06-18 13:52:13 CEST
Testing complete x86_64 Mageia 1 for SRPM perl-Config-IniFiles-2.760.0-1.mga1.src.rpm

Before
------
$ strace -o strace.out perl test2.pl && grep rename strace.out
The test is OK.
rename("output.ini-new", "output.ini")  = 0

$ rm -f output.ini


After
-----
Backing up the IniFiles.pm in case it needs to be reverted
# cp /usr/lib/perl5/vendor_perl/5.12.3/Config/IniFiles.pm .

$ strace -o strace.out perl test2.pl && grep rename strace.out
The test is OK.
rename("./temp.ini-zHTgIZxkd0", "output.ini") = 0

$ rm -f output.ini


A longer list of links required for mga1

The following packages will require linking to work around bug 2317:

perl-Archive-Extract-0.500.0-1.mga1 (Core 32bit Release)
perl-Archive-Extract-0.500.0-1.mga1 (Core Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core 32bit Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core Release)
perl-CGI-3.520.0-1.mga1 (Core 32bit Release)
perl-CGI-3.520.0-1.mga1 (Core Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core 32bit Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core 32bit Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core 32bit Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core 32bit Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core Release)
perl-JSON-PP-2.271.50-1.mga1 (Core 32bit Release)
perl-JSON-PP-2.271.50-1.mga1 (Core Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core 32bit Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core 32bit Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core Release)
perl-Module-Signature-0.680.0-1.mga1 (Core 32bit Release)
perl-Module-Signature-0.680.0-1.mga1 (Core Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core 32bit Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core 32bit Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core Release)
perl-Time-Piece-1.200.0-4.mga1 (Core 32bit Release)
perl-Time-Piece-1.200.0-4.mga1 (Core Release)
perl-version-0.880.0-2.mga1 (Core 32bit Release)
perl-version-0.880.0-2.mga1 (Core Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core 32bit Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core Release)
----------------------------------------
claire robinson 2012-06-18 13:52:31 CEST

Whiteboard: MGA1TOO, mga2-64-OK => MGA1TOO, mga2-64-OK, mga1-64-OK

Comment 25 claire robinson 2012-06-18 16:39:53 CEST
This is noarch but it would be useful to check this on both arch's (two sets of eyes) before validating as it is integral to rpm, so quite important :)
Comment 26 Dave Hodgins 2012-06-20 23:12:14 CEST
Testing complete on Mageia 1 i586.  On Mageia 2 i586, I also
noticed installing the update pulled in perl-List-MoreUtils
from Core Release, which is listed in comment 18, but not
in comment 22 or 24.

How did you build the list for linking?

Whiteboard: MGA1TOO, mga2-64-OK, mga1-64-OK => MGA1TOO, mga2-64-OK, mga1-64-OK, mga1-32-OK, , mga2-32-OK

Comment 27 claire robinson 2012-06-21 01:36:33 CEST
Just used depcheck Dave. This was updated to 2.76 in comment 19, it could have changed the deps I suppose.
Comment 28 claire robinson 2012-06-23 23:04:03 CEST
Validating

Seeing more inconsistency between 32 and 64 bit with depcheck. Last time this turned out to be real and not a problem with depcheck so we should link it anyway.

Mageia 2 linking required

Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is perl-Config-IniFiles-2.680.0-1.mga2
Latest version found in "Core Updates Testing" is perl-Config-IniFiles-2.760.0-1.mga2
----------------------------------------
The following packages will require linking:

perl-Archive-Extract
perl-Archive-Tar
perl-CGI
perl-CPANPLUS
perl-CPANPLUS-Dist-Build
perl-ExtUtils-CBuilder
perl-FCGI
perl-List-MoreUtils
perl-Module-Build
perl-Module-CoreList
perl-Time-Piece
----------------------------------------

Mageia 1 linking required is in comment 24

SRPMs:
perl-Config-IniFiles-2.760.0-1.mga1.src.rpm
perl-Config-IniFiles-2.760.0-1.mga2.src.rpm

Advisory:
========================

Updated perl-Config-IniFiles package fixes security vulnerability:

perl-Config-IniFiles used a predicatable temporary file name
(${filename}-new) which makes it prone to a symlink attack.  If a
malicious user were to create a symlink pointing to another file
writable by the user running an application that used
perl-Config-IniFiles, they could overwrite the contents of that file
(CVE-2012-2451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2451
https://bugzilla.redhat.com/show_bug.cgi?id=818386
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080716.html
=======================

Could sysadmin please push from core/updates testing to core/updates for mga1 and mga2 and do the required linking for both. 

Note: The linking required is different for mga1 than it is in mga2.

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 29 Manuel Hiebel 2012-06-23 23:09:41 CEST
Hum in mga1 I need perl-List-MoreUtils

found package(s): perl-Config-IniFiles-2.660.0-1.mga1.noarch perl-Config-IniFiles-2.760.0-1.mga1.noarch perl-Config-IniFiles-2.660.0-1.mga1.noarch
opening rpmdb (root=, write=)
chosen perl-Config-IniFiles-2.760.0-1.mga1.noarch for perl-Config-IniFiles|perl-Config-IniFiles|perl-Config-IniFiles
selecting perl-Config-IniFiles-2.760.0-1.mga1.noarch
set_rejected: perl-Config-IniFiles-2.660.0-1.mga1.noarch
requiring perl(List::MoreUtils) for perl-Config-IniFiles-2.760.0-1.mga1.noarch
chosen perl-List-MoreUtils-0.300.0-3.mga1.x86_64 for perl(List::MoreUtils)
selecting perl-List-MoreUtils-0.300.0-3.mga1.x86_64
perl-Config-IniFiles is not in potential orphans
Pour satisfaire les dépendances, les paquetages suivants vont être installés :
   Paquetage                      Version      Révision      Arch   
(média « Core Release »)
  perl-List-MoreUtils            0.300.0      3.mga1        x86_64  
(média « Core Updates Testing »)
  perl-Config-IniFiles           2.760.0      1.mga1        noarch  
un espace additionnel de 157Ko sera utilisé.
97Ko de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n)
Comment 30 claire robinson 2012-06-23 23:30:59 CEST
Depcheck doesn't find it, we must be missing something with the script. The sooner this is fixed, the better!

Sysadmin please also link perl-List-MoreUtils for mga1

# ./depcheck perl-Config-IniFiles "Core Release" "Core Updates Testing"
----------------------------------------
Running checks for "perl-Config-IniFiles" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is perl-Config-IniFiles-2.660.0-1.mga1
Latest version found in "Core Updates Testing" is perl-Config-IniFiles-2.760.0-1.mga1
----------------------------------------
The following packages will require linking:

perl-Archive-Extract-0.500.0-1.mga1 (Core 32bit Release)
perl-Archive-Extract-0.500.0-1.mga1 (Core Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core 32bit Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core Release)
perl-CGI-3.520.0-1.mga1 (Core 32bit Release)
perl-CGI-3.520.0-1.mga1 (Core Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core 32bit Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core 32bit Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core 32bit Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core 32bit Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core Release)
perl-JSON-PP-2.271.50-1.mga1 (Core 32bit Release)
perl-JSON-PP-2.271.50-1.mga1 (Core Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core 32bit Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core 32bit Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core Release)
perl-Module-Signature-0.680.0-1.mga1 (Core 32bit Release)
perl-Module-Signature-0.680.0-1.mga1 (Core Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core 32bit Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core 32bit Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core Release)
perl-Time-Piece-1.200.0-4.mga1 (Core 32bit Release)
perl-Time-Piece-1.200.0-4.mga1 (Core Release)
perl-version-0.880.0-2.mga1 (Core 32bit Release)
perl-version-0.880.0-2.mga1 (Core Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core 32bit Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core Release)
----------------------------------------
Done.
Comment 31 Thomas Backlund 2012-06-27 11:00:24 CEST
(In reply to comment #30)
> 
> # ./depcheck perl-Config-IniFiles "Core Release" "Core Updates Testing"
> ----------------------------------------
> Running checks for "perl-Config-IniFiles" using media
> "Core Release" and "Core Updates Testing".

Hm, 
"Core Updates" should be used in the media check too
(or does depcheck already use that ?)

CC: (none) => tmb

Comment 32 claire robinson 2012-06-27 12:35:52 CEST
It checks Thomas
Comment 33 Thomas Backlund 2012-06-27 13:05:17 CEST
(In reply to comment #32)
> It checks Thomas

Ah, thanks... I got fooled by the:

"Running checks for "perl-Config-IniFiles" using media  "Core Release" and "Core Updates Testing"."

as it does not state it's using "Core Updates" :)
Comment 34 claire robinson 2012-06-27 13:13:12 CEST
Created attachment 2499 [details]
Current QA depcheck script

I think pterjan was going to put it on svn. He looked an instantly had ideas to improve it.

With any luck we can retire it soon! 

( depcheck not pterjan :D )
Comment 35 Thomas Backlund 2012-06-27 14:16:05 CEST
Linking done and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0127

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.