Bug#813155: perl: Inconsistent "insecure dependency" errors from backquotes in taint mode

[Benjamin Moody]

Package: perl
Version: 5.20.2-3+deb8u3
Severity: normal

Dear Maintainer,

Perl seems to give spurious "insecure dependency" errors, in some
cases, when two backquote operators are used within the same
expression (for some definition of "expression").  The behavior seems
highly inconsistent.

Note that none of the below are actually insecure; PATH has been set
and the commands are constant strings.

#!/usr/bin/perl -t
$ENV{PATH} = '/bin:/usr/bin';

$a = `printf hello`;            # OK
print "a = $a\n";

$b = `printf world`;            # OK
print "b = $b\n";

$c = $a . $b;                   # OK
print "c = $c\n";

$d = $a . `printf world`;       # OK
print "d = $d\n";

$e = `printf hello` . $b;       # OK
print "e = $e\n";

$f = `printf hello` . `printf world`; # *** Not OK ***
print "f = $f\n";

sub concat { return $_[0] . $_[1]; }

$g = concat($a, `printf world`); # OK
print "g = $g\n";

$h = concat(`printf hello`, `printf world`); # *** Not OK ***
print "h = $h\n";

$i = concat($a, `printf world`, `printf 1`); # *** Not OK ***
print "i = $i\n";

$j = concat(`printf hello`, '') . `printf world`; # *** Not OK ***
print "j = $j\n";

$k = concat(`printf hello`, '') . concat(`printf world`, ''); # *** Not OK ***
print "k = $k\n";

sub cmdout { return `$_[0]`; }

$l = cmdout('printf hello') . cmdout('printf world'); # OK
print "l = $l\n";

$m = `printf hello` . cmdout('printf world'); # OK
print "m = $m\n";

$n = cmdout('printf hello') . `printf world`; # *** Not OK ***
print "n = $n\n";

$o = concat(cmdout('printf hello'), `printf world`); # OK
print "o = $o\n";

$p = cmdout('printf hello', `printf 1`) . 'world'; # OK
print "p = $p\n";

$q = cmdout('printf hello', `printf 1`, `printf 2`) . 'world'; # *** Not OK ***
print "q = $q\n";


-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages perl depends on:
ii  dpkg          1.17.26
ii  libbz2-1.0    1.0.6-7+b3
ii  libc6         2.19-18+deb8u2
ii  libdb5.3      5.3.28-9
ii  libgdbm3      1.8.3-13.1
ii  perl-base     5.20.2-3+deb8u3
ii  perl-modules  5.20.2-3+deb8u3
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages perl recommends:
ii  netbase  5.3
ii  rename   0.20-3

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | libterm-readline-perl-perl  <none>
ii  make                                                    4.0-8.1
ii  perl-doc                                                5.20.2-3+deb8u3

-- no debconf information