Bug#722210: perl-modules: Module::Load::Conditional fails in taint mode with "Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631"

[Daniel Kahn Gillmor]

On 09/09/2013 01:37 AM, Daniel Kahn Gillmor wrote:
> Package: perl-modules
> Version: 5.18.1-3
> Severity: important
> Control: affects -1 msva-perl
> 
> in perl 5.14.2-21, the following command returns cleanly:
> 
> perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> 
> 0 dkg at wheezy:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> 0 dkg at wheezy:~$ 
> 
> 
> but in perl 5.18.1-3, it fails harshly:
> 
> 0 dkg at alice:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
> 25 dkg at alice:~$ 
> 
> This appears to mean that any code running in taint mode that uses
> Module::Load::Conditional::can_load will fail hard.  This is causing a
> crash in msva-perl, which deliberately runs in taint mode and also may
> conditionally load a handful of pre-known modules if they are present
> on the system.
> 
> Marking this as important since it breaks msva-perl and probably other
> code.

Interestingly, if none of the modules that are trying to be loaded are
installed, this taint error does not show up, so the failures are
contingent on one of the conditionally-loaded modules actually being
present.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20130909/a6969687/attachment.sig>