Public bug reported:
The Perl library Dpkg::Index used to be usable with taint mode (-T)
enabled.
Specifically, it worked when using package 1.18.4ubuntu1 of libdpkg-perl
in Ubuntu 16.04. This has since regressed in Ubuntu 18.04, which uses
version 1.19.0.5ubuntu2.
The following perl script demonstrates the issue:
#!/usr/bin/perl -wT
use strict;
use warnings;
use Dpkg::Index;
1;
This script completes without error when run against 1.18. Running it
against 1.19 results in the following taint error in the Dpkg::Vendor
component, one of Dpkg::Index's dependencies:
% perl -wT poc.pl
Insecure dependency in eval while running with -T switch at
/usr/share/perl5/Dpkg/Vendor.pm line 164.
Compilation failed in require at /usr/share/perl5/Dpkg/Control/Hash.pm line 25.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Control/Hash.pm line
25.
Compilation failed in require at /usr/share/perl5/Dpkg/Control.pm line 47.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Control.pm line 47.
Compilation failed in require at /usr/share/perl5/Dpkg/Index.pm line 26.
BEGIN failed--compilation aborted at /usr/share/perl5/Dpkg/Index.pm line 26.
Compilation failed in require at poc.pl line 6.
BEGIN failed--compilation aborted at poc.pl line 6.
This corresponds to the following code in get_vendor_object():
eval qq{
pop \@INC if \$INC[-1] eq '.';
require Dpkg::Vendor::$name;
\$obj = Dpkg::Vendor::$name->new();
};
Commenting out the 'pop' line does not prevent the "Insecure dependency"
error.
** Affects: dpkg (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1774041
Title:
Perl library Dpkg::Index no-longer usable with Perl taint-mode enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1774041/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
