Bug#737265: marked as done (libdatetime-timezone-perl: DateTime::TimeZone::Local malfunctions under taint mode (perl -T))

Debian Bug Tracking System Fri, 14 Feb 2014 13:40:21 -0800

Your message dated Fri, 14 Feb 2014 21:34:04 +0000
with message-id <e1weqoa-0003ol...@franck.debian.org>
and subject line Bug#737265: fixed in libdatetime-timezone-perl 1:1.64-1+2013h
has caused the Debian Bug report #737265,
regarding libdatetime-timezone-perl: DateTime::TimeZone::Local malfunctions 
under taint mode (perl -T)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
737265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737265
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libdatetime-timezone-perl
Version: 1.63-1+2013h
Severity: normal
Tags: upstream patch

Dear Maintainer,

Bugzilla versions 4.2 and 4.4 both malfunction under the latest Perl (5.18.2-2) 
and libdatetime-timezone-perl (1.63-1+2013h) with the message "Cannot determine 
local time zone".

This occurs because Bugzilla runs under "Taint Mode", where values from 
untrusted sources are marked as 'tainted'; certain risky operations (eval, 
exec/system, open file for writing) will fail when their arguments are tainted. 
 This includes the mechanism used by the constructor for DateTime::TimeZone.

When DateTime::TimeZone::Local::Unix loads the time zone name from 
/etc/timezone, the zone name is tainted; then, when the name is passed to 
DateTime::TimeZone->new, it fails.

DateTime::TimeZone->new already securely validates the zone name before using 
it.  Attached is a patch (created using quilt) that modifies that validation 
code such that it also untaints the zone name at the same time.  It also adds a 
new test to the test suite to verify correct operation.

An equivalent patch has been submitted directly to the author of 
DateTime::TimeZone.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- /dev/null
+++ b/t/22taintmode.t
@@ -0,0 +1,9 @@
+#!perl -wT
+use strict;
+use warnings;
+use Test::More 0.88;
+
+use_ok('DateTime::TimeZone::Local');
+ok( ref DateTime::TimeZone::Local->TimeZone );
+
+done_testing();
--- a/lib/DateTime/TimeZone.pm
+++ b/lib/DateTime/TimeZone.pm
@@ -70,7 +70,7 @@
     my $real_class = "DateTime::TimeZone::$subclass";
 
     die "The timezone '$p{name}' in an invalid name.\n"
-        unless $real_class =~ /^\w+(::\w+)*$/;
+        unless ($real_class) = ($real_class =~ /^(\w+(?:::\w+)*)$/);
 
     unless ( $real_class->can('instance') ) {
         my $e = do {

--- End Message ---

--- Begin Message ---

Source: libdatetime-timezone-perl
Source-Version: 1:1.64-1+2013h

We believe that the bug you reported is fixed in the latest version of
libdatetime-timezone-perl, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gre...@debian.org> (supplier of updated 
libdatetime-timezone-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Feb 2014 22:15:34 +0100
Source: libdatetime-timezone-perl
Binary: libdatetime-timezone-perl
Architecture: source all
Version: 1:1.64-1+2013h
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: gregor herrmann <gre...@debian.org>
Description: 
 libdatetime-timezone-perl - framework exposing the Olson time zone database to 
Perl
Closes: 737265
Changes: 
 libdatetime-timezone-perl (1:1.64-1+2013h) unstable; urgency=medium
 .
   * Drop xz compression for {binary,source} package, set by default by
     dpkg since 1.17.{0,6}.
 .
   * New upstream release.
     Fixes "DateTime::TimeZone::Local malfunctions under taint mode
     (perl -T)" (Closes: #737265)
   * Update years of copyright.
   * Add new build dependencies.
Checksums-Sha1: 
 56fdbc51bf2c61713359f7d1d2933731da585f4d 2553 
libdatetime-timezone-perl_1.64-1+2013h.dsc
 ceb4539ca306d7638ffa3ecbecc8f9e1a64c49ad 845741 
libdatetime-timezone-perl_1.64.orig.tar.gz
 6cd80b9198d2b3db0aa3131c3b8d0b48d4ed80af 7120 
libdatetime-timezone-perl_1.64-1+2013h.debian.tar.xz
 024d178b02f819ccd1bfa30ac09ddb2183c23add 270998 
libdatetime-timezone-perl_1.64-1+2013h_all.deb
Checksums-Sha256: 
 0d12cc5d55fd47773a8804d363997b77cc7eb5b99c16787c22f658c563e502bc 2553 
libdatetime-timezone-perl_1.64-1+2013h.dsc
 f63c6a1523c2334497ca00bdc007a58e666e81c7edceb77f18c7088036cf1415 845741 
libdatetime-timezone-perl_1.64.orig.tar.gz
 b0fe8e3ee2c0b5486237e2f96c715e4d99e89263323fd0f7bafe6ce8a58af72e 7120 
libdatetime-timezone-perl_1.64-1+2013h.debian.tar.xz
 d453c21dd1e5e4d6edf50a4d4d451967b7409013f63d9feb82720cea75c4aec5 270998 
libdatetime-timezone-perl_1.64-1+2013h_all.deb
Files: 
 643ffe52cafdae7d72d420be1a2f0ed7 2553 perl optional 
libdatetime-timezone-perl_1.64-1+2013h.dsc
 5fb202d7622658854904ad53419a5a0d 845741 perl optional 
libdatetime-timezone-perl_1.64.orig.tar.gz
 fea8591c34bfc3446c6d5d065d0eea60 7120 perl optional 
libdatetime-timezone-perl_1.64-1+2013h.debian.tar.xz
 fdf15a2791f7adf358dc80092aba0b70 270998 perl optional 
libdatetime-timezone-perl_1.64-1+2013h_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJrBAEBCgBVBQJS/oegThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w
cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK
CRC7OmgBhkmqBsB2D/9UQGJGZIpbmc8R665Ao9Wv+zpe/9QRyWjvSQCtoX4CiRwz
fwr0cq2xKJaz2c6w2HoPHEfQd29bbgRFIEPVFxLUJqvOtxrHiYUcZ9jPNPJQVDTa
DhbjthVW3dC2/B06lrcpfOgUl8BBkibntWmMinTUdXZ2uCYZAHWTmRinyqCQ7siE
p/vnFmxTm8yq0yrDUASk2OLAdN1gz949euL+GfQjDWjNtOh4/spT4CCmr7mhDQb1
BSbBrXcDmwlqbKxmi5nE/fJaq4AyBfaoRHYrLUQ11TwfSBZBhpoIXJ6RNAsxaEgG
TEZI7Habn7dqVFMavVFmbaiQ7zeudkGvQlzOKVgWAuL4+ykI11Jt8m5eq7LlW5Rm
u+vXeFSDYGktgb7/yaybcuoKTOpT2ihlA38ghgIvry/VprPeAS+L0L1xSnBZH6HW
XHvWe5akzHSS22zyAN+WPD8KZYPv6yRiqUvdVgsOl7feNqZLbCpwsRSeKTxJF69P
mN3JcnFQgRP7RVPpyFv3jUDzZJsvHDJGgK2CTRK1ori+sdonCS6APW+yDL5ijutm
n3/8OXQxh8/yN3Vp+7gOgqm/lZeRbA+IMbr1neUE/ms5mboYUDtMTce4arLznwah
lqXS1QeffQyYbXJJL8C5+0V/Ihk/Agt++nyEyZ7Q8oDEBwwf4ATLtHwlVirrbA==
=ossY
-----END PGP SIGNATURE-----

--- End Message ---

Bug#737265: marked as done (libdatetime-timezone-perl: DateTime::TimeZone::Local malfunctions under taint mode (perl -T))

Reply via email to