develooper Front page | perl.perl5.porters | Postings from December 2013

[perl #115370] Insecure dependency using IPC::Cmd in Perl 5.16.1

Thread Previous
From:
James E Keenan via RT
Date:
December 14, 2013 15:54
Subject:
[perl #115370] Insecure dependency using IPC::Cmd in Perl 5.16.1
Message ID:
rt-4.0.18-23415-1387036450-1152.115370-15-0@perl.org
On Fri Oct 19 20:17:27 2012, brad wrote:
> On Fri, Oct 19, 2012 at 9:54 PM, James E Keenan via RT
> <perlbug-followup@perl.org> wrote:
> > On Fri Oct 19 19:50:47 2012, jkeenan wrote:
> >> On Fri Oct 19 19:42:48 2012, jkeen@verizon.net wrote:
> >> > On 10/19/12 10:07 PM, George Clark wrote:
> >> > > We've been looking at using IPC::Cmd in the Foswiki project.
> >> > > One
> > issue
> >> > > we've run into is an insecure dependency issue.  It only happens
> >> > > with
> >> > > Perl 5.16.1.  I've confirmed it with perlbrew on linux, and
> >> > > Strawberry
> >> > > Perl on Windows.
> >> >
> >>
> >> I was unable to reproduce this on either Darwin/PPC or Linux/i386:
> >>
> >> #####
> >> $ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp::confess( @_ )
> >> };use
> >> IPC::Cmd;IPC::Cmd->can_use_ipc_open3();'
> >> $
> >> #####
> >
> > I should have added that I'm running Perl 5.16.0 on both of those
> > machines.  So that admits the possibility of a problem creeping in
> > between 5.16.0 and 5.16.1.
> >
> 
> I have been able to reproduce this with 5.14.1  5.16.0 and 5.16.1
> (64bit Ubuntu linux)
> 
> None of the tests pass with taint mode enabled for these modules:
> 
> IPC::Cmd
> Module::Metadata
> Module::Load
> Module::Load::Conditional
> 
> ( The last one reports the failure as coming from Test::Builder )
> 
> I keep them up-to-date with CPAN, so that may be where the discrepancy
> comes from.
> 
> >
> >
> > ---
> > via perlbug:  queue: perl5 status: open
> > https://rt.perl.org:443/rt3/Ticket/Display.html?id=115370

I looked at this ticket again this morning.  To recap:

#####
$ perl -T -e'use IPC::Cmd;IPC::Cmd->can_use_ipc_open3();'
Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/5.18.0/Module/Metadata.pm line 631, <GEN3> line 14.
#####

Still present in blead.

IPC::Cmd->can_use_ipc_open3() relies on this chain of functions:

Module::Load::Conditional::can_load
Module::Load::Conditional::check_install
Module::Metadata::new_from_handle
Module::Metadata::_init
Module::Metadata::_parse_fh
Module::Metadata::_evaluate_version_line

And _evaluate_version_line contains a string 'eval' at what is now line 671 of lib/Module/Metadata.pm (v1.000019).  Something tainted is causing that 'eval' to blow up.  My hunch is that the insecure dependency is being introduced *above* the call to Module::Metadata::new_from_handle, but I haven't figured out how to write a test case for that.

Ideas?

Thank you very much.
Jim Keenan

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=115370

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About