Bug#722210: perl-modules: Module::Load::Conditional fails in taint mode with "Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631"
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Sep 9 05:37:34 UTC 2013
Package: perl-modules
Version: 5.18.1-3
Severity: important
Control: affects -1 msva-perl
in perl 5.14.2-21, the following command returns cleanly:
perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
0 dkg at wheezy:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
0 dkg at wheezy:~$
but in perl 5.18.1-3, it fails harshly:
0 dkg at alice:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
25 dkg at alice:~$
This appears to mean that any code running in taint mode that uses
Module::Load::Conditional::can_load will fail hard. This is causing a
crash in msva-perl, which deliberately runs in taint mode and also may
conditionally load a handful of pre-known modules if they are present
on the system.
Marking this as important since it breaks msva-perl and probably other
code.
--dkg
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages perl-modules depends on:
ii perl 5.18.1-3
Versions of packages perl-modules recommends:
pn libarchive-extract-perl <none>
pn libmodule-pluggable-perl <none>
pn libpod-latex-perl <none>
pn libterm-ui-perl <none>
pn libtext-soundex-perl <none>
Versions of packages perl-modules suggests:
pn libb-lint-perl <none>
pn libcpanplus-dist-build-perl <none>
pn libcpanplus-perl <none>
pn libfile-checktree-perl <none>
pn liblog-message-perl <none>
pn liblog-message-simple-perl <none>
pn libobject-accessor-perl <none>
-- debconf-show failed
More information about the Perl-maintainers
mailing list