Bug#722210: perl-modules: Module::Load::Conditional fails in taint mode with "Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631"

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Sep 9 05:37:34 UTC 2013 

Package: perl-modules
Version: 5.18.1-3
Severity: important
Control: affects -1 msva-perl

in perl 5.14.2-21, the following command returns cleanly:

perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'

0 dkg at wheezy:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
0 dkg at wheezy:~$ 


but in perl 5.18.1-3, it fails harshly:

0 dkg at alice:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
25 dkg at alice:~$ 

This appears to mean that any code running in taint mode that uses
Module::Load::Conditional::can_load will fail hard.  This is causing a
crash in msva-perl, which deliberately runs in taint mode and also may
conditionally load a handful of pre-known modules if they are present
on the system.

Marking this as important since it breaks msva-perl and probably other
code.

   --dkg


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages perl-modules depends on:
ii  perl  5.18.1-3

Versions of packages perl-modules recommends:
pn  libarchive-extract-perl   <none>
pn  libmodule-pluggable-perl  <none>
pn  libpod-latex-perl         <none>
pn  libterm-ui-perl           <none>
pn  libtext-soundex-perl      <none>

Versions of packages perl-modules suggests:
pn  libb-lint-perl               <none>
pn  libcpanplus-dist-build-perl  <none>
pn  libcpanplus-perl             <none>
pn  libfile-checktree-perl       <none>
pn  liblog-message-perl          <none>
pn  liblog-message-simple-perl   <none>
pn  libobject-accessor-perl      <none>

-- debconf-show failed

More information about the Perl-maintainers mailing list