This message will be sent to gentoo-dev by the time you read it, but just in case you aren’t subscribed:
I posted a tested ebuild for perl this afternoon to address an rmtree vulnerability in File::Path. This ebuild was tested on 3 arches and 6 boxes total without an issue – the patch was to the .pm file, code that isn’t touched by perl until you invoke it with your own perl code (ie, not compiled code that might be swayed by arch differences, gcc differences, what have you).
Turns out, though, there was a flaw in my ordering of the patch. The patched File::Path invokes Errno.pm, which typically isn’t created until after File::Path is built into your perl during the make phase. Because Errno.pm didn’t exist yet in the chroot, it was pulling it from folks’ installed perl. One of the first things in this particular module is to check that the kernel and platform hardcoded in it at perl build time match what was used during the original install of your current perl according to Config.pm. No problem – unless you’ve changed kernel versions. Because during the make process the file is sourced by perl, and during that sourcing (ok, not the right word, but I’m talking to you, the masses) it attempted to require, or pull in, the Errno.pm, and failing to find a new one in the unpacked source, it pulled the one on the main system. And therein began the mess. Two values that would normally never appear to perl to be out of sync were suddenly horribly wrong on any box that had had a kernel upgrade since the last perl install.
This is now fixed by moving the patch to post install in image, but prior to the install on your filesystem. I have to give thanks to jat, a user on irc who talked me down a few times and inadvertently gave me the inspiration to move the patch (rather than the messy solutions I was considering), and to seemant, who without question or hesitation offered me root on a broken box so I could properly work this out so quickly. Without either of them I wouldn’t have gotten it so soon.
So for those of you who sync’d this afternoon, please re-sync. If you tried to emerge perl and got a weird message about kernel versions mismatching, and want to add your gripes in bug 84868, that’s fine, but sync again and you will be all set.
I have to say, this is the first time in almost two years that I’ve managed to break perl. Gotta count for something that its been so long 🙂
-Michael