[perl #115370] Insecure dependency using IPC::Cmd in Perl 5.16.1

Thread Previous

From:

James E Keenan via RT

Date:

December 14, 2013 15:54

Subject:

[perl #115370] Insecure dependency using IPC::Cmd in Perl 5.16.1

Message ID:

rt-4.0.18-23415-1387036450-1152.115370-15-0@perl.org

On Fri Oct 19 20:17:27 2012, brad wrote: > On Fri, Oct 19, 2012 at 9:54 PM, James E Keenan via RT > <perlbug-followup@perl.org> wrote: > > On Fri Oct 19 19:50:47 2012, jkeenan wrote: > >> On Fri Oct 19 19:42:48 2012, jkeen@verizon.net wrote: > >> > On 10/19/12 10:07 PM, George Clark wrote: > >> > > We've been looking at using IPC::Cmd in the Foswiki project. > >> > > One > > issue > >> > > we've run into is an insecure dependency issue. It only happens > >> > > with > >> > > Perl 5.16.1. I've confirmed it with perlbrew on linux, and > >> > > Strawberry > >> > > Perl on Windows. > >> > > >> > >> I was unable to reproduce this on either Darwin/PPC or Linux/i386: > >> > >> ##### > >> $ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp::confess( @_ ) > >> };use > >> IPC::Cmd;IPC::Cmd->can_use_ipc_open3();' > >> $ > >> ##### > > > > I should have added that I'm running Perl 5.16.0 on both of those > > machines. So that admits the possibility of a problem creeping in > > between 5.16.0 and 5.16.1. > > > > I have been able to reproduce this with 5.14.1 5.16.0 and 5.16.1 > (64bit Ubuntu linux) > > None of the tests pass with taint mode enabled for these modules: > > IPC::Cmd > Module::Metadata > Module::Load > Module::Load::Conditional > > ( The last one reports the failure as coming from Test::Builder ) > > I keep them up-to-date with CPAN, so that may be where the discrepancy > comes from. > > > > > > > --- > > via perlbug: queue: perl5 status: open > > https://rt.perl.org:443/rt3/Ticket/Display.html?id=115370 I looked at this ticket again this morning. To recap: ##### $ perl -T -e'use IPC::Cmd;IPC::Cmd->can_use_ipc_open3();' Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/5.18.0/Module/Metadata.pm line 631, <GEN3> line 14. ##### Still present in blead. IPC::Cmd->can_use_ipc_open3() relies on this chain of functions: Module::Load::Conditional::can_load Module::Load::Conditional::check_install Module::Metadata::new_from_handle Module::Metadata::_init Module::Metadata::_parse_fh Module::Metadata::_evaluate_version_line And _evaluate_version_line contains a string 'eval' at what is now line 671 of lib/Module/Metadata.pm (v1.000019). Something tainted is causing that 'eval' to blow up. My hunch is that the insecure dependency is being introduced *above* the call to Module::Metadata::new_from_handle, but I haven't figured out how to write a test case for that. Ideas? Thank you very much. Jim Keenan --- via perlbug: queue: perl5 status: open https://rt.perl.org/Ticket/Display.html?id=115370

Thread Previous

[perl #115370] Insecure dependency using IPC::Cmd in Perl 5.16.1 by James E Keenan via RT
[perl #115370] Insecure dependency using IPC::Cmd in Perl 5.16.1 by James E Keenan via RT

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About