Bug#794963: libnet-xmpp-perl: "Insecure dependency in eval (...) at /usr/share/perl5/Net/XMPP/Protocol.pm line 1007."

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Sun Aug 9 10:02:17 UTC 2015 

Axel Beckert wrote...

> Can you give me some example code which triggers this issue so that I
> can test if it's fixed with the new upstream release?

It's rather simple: Use Net::XMPP while running setuid. So execute the
following code as root after adjusting the server information and
credentials, login must succeed to trigger the error. Discussion
follows.

======================================================================
#!/usr/bin/perl

use 5.010;
use strict;
use warnings;

use Net::XMPP;

$> = 65534;

my $Connection = Net::XMPP::Client->new ();
my $status = $Connection->Connect (
    'hostname' => 'server.example.com',
    'port' => 5222,
) or die;
my @result = $Connection->AuthSend (
    'username' => 'user',
    'password' => 'pass',
    'resource' => 'whatever',
);
======================================================================

This might raise the question why somebody would want to do run such a
script setuid. The proper answer however was to question why anyone of
upstream, packagers and otherwise Perl related folks would want to bar
them from doing so.

This is a political question, and it's not limited to libnet-xmpp-perl
in any way: Are Perl modules expected to work in stricter environments,
where the runtime enforces rules it usually does not, like taint mode
or when running setuid like here? In my opinion "yes" but it's a tough
job to identify all the places in the code, and sometimes fixing them
isn't easy either. So this should be decided on a big scale, as a
release goal, at debian-devel and/or DebConf, and libnet-xmpp-perl
might not be the right place to exercise this beforehand.

However, in my case the answer is a bit different. The client code is a
daemon that relays messages received via XMPP. It gets started using
start-stop-daemon, then drops privileges. Instead of using
POSIX::setuid this was done manually by setting $> but not $<, and
things went downhill from there. In other words, running setuid was not
intended anyway and that code has been fixed now.

Long story short: Feel free to lower severity. Using code in eval "..."
is evil. Upstream's recent change did not remove the error.

    Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20150809/7a1e2eb7/attachment.sig>

More information about the pkg-perl-maintainers mailing list