Bug#722210: perl-modules: Module::Load::Conditional fails in taint mode with "Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631"
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Sep 9 06:02:16 UTC 2013
On 09/09/2013 01:37 AM, Daniel Kahn Gillmor wrote:
> Package: perl-modules
> Version: 5.18.1-3
> Severity: important
> Control: affects -1 msva-perl
>
> in perl 5.14.2-21, the following command returns cleanly:
>
> perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
>
> 0 dkg at wheezy:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> 0 dkg at wheezy:~$
>
>
> but in perl 5.18.1-3, it fails harshly:
>
> 0 dkg at alice:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
> 25 dkg at alice:~$
>
> This appears to mean that any code running in taint mode that uses
> Module::Load::Conditional::can_load will fail hard. This is causing a
> crash in msva-perl, which deliberately runs in taint mode and also may
> conditionally load a handful of pre-known modules if they are present
> on the system.
>
> Marking this as important since it breaks msva-perl and probably other
> code.
Interestingly, if none of the modules that are trying to be loaded are
installed, this taint error does not show up, so the failures are
contingent on one of the conditionally-loaded modules actually being
present.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20130909/a6969687/attachment.sig>
More information about the Perl-maintainers
mailing list