t/message-decode-zipbomb.t fails on Oracle Linux docker images
q84fh opened this issue · comments
Hello,
I've noticed that during installation on Oracle Linux docker image 7.9 and 8 t/message-decode-zipbomb.t test fails with:
# Failed test 'We die when trying to decode something larger than our global limit of 512k'
# at t/message-decode-zipbomb.t line 75.
# got: '1'
# expected: undef
# ... using Compress::Raw::Zlib version 2.061
# Failed test 'We die when trying to decode something larger than our limit of 512k using a parameter'
# at t/message-decode-zipbomb.t line 96.
# got: '1'
# expected: undef
# ... using Compress::Raw::Zlib version 2.061
# Looks like you failed 2 tests of 9.
t/message-decode-zipbomb.t .....
Steps to reproduce:
docker run --rm -it oraclelinux:7.9 bash -c 'yum -y install perl-App-cpanminus && cpanm HTTP::Message'
I've also tested in on latest Debian image and test passes:
docker run --rm -it debian:latest bash -c 'apt update && apt -y install cpanminus && cpanm HTTP::Message'
I've also noticed similar error detected by cpantesters - maybe it is related.
I've tested following distributions:
| image | perl version | result |
|---|---|---|
| oraclelinux:7.9 | 5.16.3 | FAIL |
| oraclelinux:8 | 5.26.3 | FAIL |
| debian:latest | 5.32.1 | OK |
@Corion ^^
It seems that the (ages old) version 2.061 of Compress::Raw::Zlib doesn't support the maximum sizes. Either you make 2.062 a hard prerequisite, or we can skip the tests on the lower versions. That lulls the users in false security though, since the features then simply don't work.
v6.44 is now on its way to CPAN.
Big thanks! Really appreciate fast merge and release!
Thanks for reporting and fixing this, @q84fh! 🚀