Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blead Breaks CPAN: TOBYINK/Alt-Module-Runtime-ButEUMM-0.001.tar.gz #16523

Closed
p5pRT opened this issue Apr 21, 2018 · 7 comments
Closed

Blead Breaks CPAN: TOBYINK/Alt-Module-Runtime-ButEUMM-0.001.tar.gz #16523

p5pRT opened this issue Apr 21, 2018 · 7 comments
Labels
BBC

Comments

@p5pRT
Copy link

@p5pRT p5pRT commented Apr 21, 2018

Migrated from rt.perl.org#133138 (status was 'open')

Searchable as RT133138$

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 21, 2018

From @eserte

This is a bug report for perl from slaven@​rezic.de,
generated with the help of perlbug 1.41 running under perl 5.27.11.


t/taint.t fails since perl 5.27.5 (I did not notice earlier
because I usually don't test Alt​::* modules)​:

...
# Failed test at t/taint.t line 16.
# ''
# doesn't match '(?^​:\AInsecure dependency )'

# Failed test at t/taint.t line 18.
# ''
# doesn't match '(?^​:\AInsecure dependency )'

# Failed test at t/taint.t line 20.
# ''
# doesn't match '(?^​:\AInsecure dependency )'
# Looks like you failed 3 tests of 5.
t/taint.t ...........
Dubious, test returned 3 (wstat 768, 0x300)
Failed 3/5 subtests
...



Flags​:
  category=core
  severity=low


Site configuration information for perl 5.27.11​:

Configured by eserte at Fri Apr 20 21​:45​:30 CEST 2018.

Summary of my perl5 (revision 5 version 27 subversion 11) configuration​:
 
  Platform​:
  osname=linux
  osvers=3.16.0-4-amd64
  archname=x86_64-linux
  uname='linux cabulja 3.16.0-4-amd64 #1 smp debian 3.16.51-3 (2017-12-13) x86_64 gnulinux '
  config_args='-ds -e -Dprefix=/opt/perl-5.27.11 -Dusedevel -Dusemallocwrap=no -Dcf_email=srezic@​cpan.org'
  hint=recommended
  useposix=true
  d_sigaction=define
  useithreads=undef
  usemultiplicity=undef
  use64bitint=define
  use64bitall=define
  uselongdouble=undef
  usemymalloc=n
  default_inc_excludes_dot=define
  bincompat5005=undef
  Compiler​:
  cc='cc'
  ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
  optimize='-O2'
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion=''
  gccversion='4.9.2'
  gccosandvers=''
  intsize=4
  longsize=8
  ptrsize=8
  doublesize=8
  byteorder=12345678
  doublekind=3
  d_longlong=define
  longlongsize=8
  d_longdbl=define
  longdblsize=16
  longdblkind=3
  ivtype='long'
  ivsize=8
  nvtype='double'
  nvsize=8
  Off_t='off_t'
  lseeksize=8
  alignbytes=8
  prototype=define
  Linker and Libraries​:
  ld='cc'
  ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so
  so=so
  useshrplib=false
  libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs
  dlext=so
  d_dlsymun=undef
  ccdlflags='-Wl,-E'
  cccdlflags='-fPIC'
  lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'


@​INC for perl 5.27.11​:
  /opt/perl-5.27.11/lib/site_perl/5.27.11/x86_64-linux
  /opt/perl-5.27.11/lib/site_perl/5.27.11
  /opt/perl-5.27.11/lib/5.27.11/x86_64-linux
  /opt/perl-5.27.11/lib/5.27.11


Environment for perl 5.27.11​:
  HOME=/home/eserte
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/usr/local/bin​:/usr/bin​:/bin​:/usr/local/sbin​:/usr/sbin​:/sbin​:/home/eserte/bin/linux-gnu​:/home/eserte/bin/sh​:/home/eserte/bin​:/home/eserte/bin/pistachio-perl/bin​:/usr/games​:/home/eserte/devel
  PERLDOC=-MPod​::Perldoc​::ToTextOverstrike
  PERL_BADLANG (unset)
  SHELL=/bin/zsh

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 21, 2018

From @dur-randir

On Sat, 21 Apr 2018 03​:26​:38 -0700, slaven@​rezic.de wrote​:

t/taint.t fails since perl 5.27.5 (I did not notice earlier
because I usually don't test Alt​::* modules)​:

0cbfaef is the first bad commit
commit 0cbfaef
Author​: Nicolas R <atoomic@​cpan.org>
Date​: Tue Sep 26 18​:07​:47 2017 -0500

  pp_require​: return earlier when module is already loaded

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 21, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 21, 2018

From @iabyn

On Sat, Apr 21, 2018 at 04​:01​:53AM -0700, Sergey Aleynikov via RT wrote​:

On Sat, 21 Apr 2018 03​:26​:38 -0700, slaven@​rezic.de wrote​:

t/taint.t fails since perl 5.27.5 (I did not notice earlier
because I usually don't test Alt​::* modules)​:

0cbfaef is the first bad commit
commit 0cbfaef
Author​: Nicolas R <atoomic@​cpan.org>
Date​: Tue Sep 26 18​:07​:47 2017 -0500

pp\_require&#8203;: return earlier when module is already loaded

(That commit for ticket RT #132171.)

The difference that commit makes can be seen in the following​:

  my $modname = "strict.pm";
  my $tainted_modname = substr($ENV{PATH}, 0, 0) . $modname;
  eval {require($modname)}; print "err=[$@​]\n";
  eval {require($tainted_modname)}; print "err=[$@​]\n";

  $ perl5274 -T ~/tmp/p
  err=[]
  err=[Insecure dependency in require while running with -T switch at /home/davem/tmp/p line 8.
  ]

  $ perl5275 -T ~/tmp/p
  err=[]
  err=[]

The attempt to require the same module again is now detected earlier,
before the safe path and taint checks. It was intended as a performance
enhancement (skip more quickly second time round).

My feeling is that perl is ok and the distribution's t/taint.t needs
updating to reflect the new reality.

Unless anyone can think of a valid security reason why perl should
croak on requiring an already-loaded module via a tainted name, rather
than just quietly skipping?

--
"You may not work around any technical limitations in the software"
  -- Windows Vista license

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 22, 2018

From @xsawyerx

On 04/21/2018 03​:59 PM, Dave Mitchell wrote​:

On Sat, Apr 21, 2018 at 04​:01​:53AM -0700, Sergey Aleynikov via RT wrote​:

On Sat, 21 Apr 2018 03​:26​:38 -0700, slaven@​rezic.de wrote​:

t/taint.t fails since perl 5.27.5 (I did not notice earlier
because I usually don't test Alt​::* modules)​:
0cbfaef is the first bad commit
commit 0cbfaef
Author​: Nicolas R <atoomic@​cpan.org>
Date​: Tue Sep 26 18​:07​:47 2017 -0500

pp\_require&#8203;: return earlier when module is already loaded

(That commit for ticket RT #132171.)

The difference that commit makes can be seen in the following​:

my $modname = "strict\.pm";
my $tainted\_modname = substr\($ENV\{PATH\}\, 0\, 0\) \. $modname;
eval \{require\($modname\)\};         print "err=\[$@&#8203;\]\\n";
eval \{require\($tainted\_modname\)\}; print "err=\[$@&#8203;\]\\n";

$ perl5274 \-T ~/tmp/p
err=\[\]
err=\[Insecure dependency in require while running with \-T switch at /home/davem/tmp/p line 8\.
\]

$ perl5275 \-T ~/tmp/p
err=\[\]
err=\[\]

The attempt to require the same module again is now detected earlier,
before the safe path and taint checks. It was intended as a performance
enhancement (skip more quickly second time round).

My feeling is that perl is ok and the distribution's t/taint.t needs
updating to reflect the new reality.

Unless anyone can think of a valid security reason why perl should
croak on requiring an already-loaded module via a tainted name, rather
than just quietly skipping?

The old behavior seems to only be a red herring to developers. You would
go down the "this is a taint problem" when in fact you have already
loaded that module and the load attempt can be ignored.

@xenu xenu removed the Severity Low label Dec 29, 2021
@jkeenan jkeenan added BBC non-5.36-blocker labels Mar 15, 2022
@hvds
Copy link
Contributor

@hvds hvds commented Mar 17, 2022

v0.002 of this module was release 2018-06-19, and no longer fails. Closing ticket.

@hvds hvds closed this as completed Mar 17, 2022
@jkeenan
Copy link
Contributor

@jkeenan jkeenan commented Mar 17, 2022

v0.002 of this module was release 2018-06-19, and no longer fails. Closing ticket.

Confirmed. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
BBC
Projects
None yet
Development

No branches or pull requests

4 participants