Bug#794963: libnet-xmpp-perl: "Insecure dependency in eval (...) at /usr/share/perl5/Net/XMPP/Protocol.pm line 1007."
Christoph Biedl
debian.axhn at manchmal.in-ulm.de
Mon Aug 10 22:54:33 UTC 2015
It's getting interesting ...
Axel Beckert wrote:
> I'm sorry, but I failed to get that script working.
>
> I tried with:
>
> * My own server (cacert certificate, Net::XMPP::Client can't seem to
> pass ssl_ca_path to XML::Stream)
> * Upstream's test server (connection refused despite I used the same
> data as in their own test scripts)
> * locally installed jabberd2 (gave nothing 500 server error after I
> had it purged and installed again)
> * locally installed prosody (connection timeout).
The easiest way for me to get an XMPP server running was to install
prosody, lua-sec, and libdigest-hmac-perl. Beware of #748721, edit
the certificate name in /etc/prosody/prosody.cfg.lua. Then use
prosodyctl to create an account.
If it's of any help, I can provide a root account on a test machine
for you, with a running prosody server. Send me your public ssh key.
But ... see below.
> I see currently two options:
>
> a) you try to checkout
> https://anonscm.debian.org/cgit/pkg-perl/packages/libnet-xmpp-perl.git
> and build the package from there to test it.
Bad news: This is *not* a remedy against the error messages here.
Additionally, this raises new warnings (three times):
| WARNING: debug file () does not exist
| and is not writable by you.
| No debug information being saved.
This also happens without any setuid quirks, the messages are
generated by
* /usr/share/perl5/XML/Stream.pm:401 (one time)
* /usr/share/perl5/XML/Stream/Parser.pm:135 (two times)
and I have no idea why. Good luck :)
> b) I'll upload the new upstream release without fixing this issue, you
> try it afterwards in Sid oder Testing and I either close this issue
> retroactively or try to fix it based on your feedback.
Modulo the above messages this is probably the way to go since there
are more problems on the political layer: If you run my small script
in Perl's taint mode, it will croak in other places:
| Insecure dependency in eval while running with -T switch at /usr/share/perl5/Authen/SASL/Perl.pm line 58.
| at /usr/share/perl5/XML/Stream.pm line 2155.
So a can of worms is waiting to be opened ...
AND: While I managed to reproduce the issue in my usual test systems,
I failed to do so in a fresh, plain jessie install, the one I could
easily grant you access to. So I still cannot make you see it with
your own eyes.¹ At first, I really should find the differences between
these two installations. I'll get back to you then.
Christoph
¹ At least the new "WARNING"s show up, though.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20150811/56367698/attachment.sig>
More information about the pkg-perl-maintainers
mailing list