[Bug 1774041] [NEW] Perl library Dpkg::Index no-longer usable with Perl taint-mode enabled
David McBride
dwm37 at cam.ac.uk
Tue May 29 18:17:39 UTC 2018
Public bug reported:
The Perl library Dpkg::Index used to be usable with taint mode (-T)
enabled.
Specifically, it worked when using package 1.18.4ubuntu1 of libdpkg-perl
in Ubuntu 16.04. This has since regressed in Ubuntu 18.04, which uses
version 1.19.0.5ubuntu2.
The following perl script demonstrates the issue:
#!/usr/bin/perl -wT
use strict;
use warnings;
use Dpkg::Index;
1;
This script completes without error when run against 1.18. Running it
against 1.19 results in the following taint error in the Dpkg::Vendor
component, one of Dpkg::Index's dependencies:
% perl -wT poc.pl
Insecure dependency in eval while running with -T switch at /usr/share/perl5/Dpkg/Vendor.pm line 164.
Compilation failed in require at /usr/share/perl5/Dpkg/Control/Hash.pm line 25.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Control/Hash.pm line 25.
Compilation failed in require at /usr/share/perl5/Dpkg/Control.pm line 47.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Control.pm line 47.
Compilation failed in require at /usr/share/perl5/Dpkg/Index.pm line 26.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Index.pm line 26.
Compilation failed in require at poc.pl line 6.
BEGIN failed--compilation aborted at poc.pl line 6.
This corresponds to the following code in get_vendor_object():
eval qq{
pop \@INC if \$INC[-1] eq '.';
require Dpkg::Vendor::$name;
\$obj = Dpkg::Vendor::$name->new();
};
Commenting out the 'pop' line does not prevent the "Insecure dependency"
error.
** Affects: dpkg (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1774041
Title:
Perl library Dpkg::Index no-longer usable with Perl taint-mode enabled
Status in dpkg package in Ubuntu:
New
Bug description:
The Perl library Dpkg::Index used to be usable with taint mode (-T)
enabled.
Specifically, it worked when using package 1.18.4ubuntu1 of libdpkg-
perl in Ubuntu 16.04. This has since regressed in Ubuntu 18.04, which
uses version 1.19.0.5ubuntu2.
The following perl script demonstrates the issue:
#!/usr/bin/perl -wT
use strict;
use warnings;
use Dpkg::Index;
1;
This script completes without error when run against 1.18. Running it
against 1.19 results in the following taint error in the Dpkg::Vendor
component, one of Dpkg::Index's dependencies:
% perl -wT poc.pl
Insecure dependency in eval while running with -T switch at /usr/share/perl5/Dpkg/Vendor.pm line 164.
Compilation failed in require at /usr/share/perl5/Dpkg/Control/Hash.pm line 25.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Control/Hash.pm line 25.
Compilation failed in require at /usr/share/perl5/Dpkg/Control.pm line 47.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Control.pm line 47.
Compilation failed in require at /usr/share/perl5/Dpkg/Index.pm line 26.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Index.pm line 26.
Compilation failed in require at poc.pl line 6.
BEGIN failed--compilation aborted at poc.pl line 6.
This corresponds to the following code in get_vendor_object():
eval qq{
pop \@INC if \$INC[-1] eq '.';
require Dpkg::Vendor::$name;
\$obj = Dpkg::Vendor::$name->new();
};
Commenting out the 'pop' line does not prevent the "Insecure
dependency" error.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1774041/+subscriptions
More information about the foundations-bugs
mailing list