Front page | perl.perl5.porters |
Postings from April 2004
Rafael, thanks for the reply. I did try to do some digging into the two modules, but could not find the cause. I will dig some more, and try to isolate the problem to one of the two modules. Thanks again, Dave bplatz@agere.com voice: 610.712.5225 pager: 800.749.8888 pin 1205291 -----Original Message----- From: Rafael Garcia-Suarez via RT [mailto:perlbug-followup@perl.org] Sent: Friday, April 16, 2004 11:12 AM To: bplatz@acm.org Subject: Re: [perl #28500] Perl 5.8.0 PerlIO insecure dependency David R.Schulte (via RT) wrote: > Under Perl 5.8.0, we are seeing an insecure dependency generated > for the PerlIO.pm with the following script when executed with the > real uid != effected uid: > > #!/bin/perl > > use XML::SAX::Pipeline; > use XML::Filter::BufferText; > > my $filter = XML::Filter::BufferText->new(); > my $machine = XML::SAX::Pipeline->new($filter); > > $machine->parse_file(\*STDIN); > > Error Message: > > Insecure dependency in eval while running setuid at /opt/perl58/lib/5.8.0/PerlIO.pm line 22. > BEGIN failed--compilation aborted. > > Other than using perl's -U option, I cannot figure out how to get > around this problem. It appears that the root of the problem is with > PerlIO.pm's use of a tainted variable inside a "require" statement, at > line 22. Indeed, but this variable is a parameter to import(), that is, it's typically given on a "use" line (or, in our case, in a open(FH, "<:module", $file) statement.) That means that the 2nd argument to open() is probably tainted, and thus that the problem is upstream -- in one of the modules you're using. I've not looked at them to confirm this, but I think you should report the problem to their author.