We were finally able to narrow this bug down to a small test case. I have also attached a patch that fixes it.
#!/usr/bin/perl -Tw $SIG{'__WARN__'} = sub {warn $_[0]}; my $tainted = substr($ENV{'PATH'}, 0, 0); my $pat = "Testing %s\n" . $tainted; "foo" =~ m/(.*)/; my $foo = $1; my $s = sprintf($pat, undef); # << corrupts $1!! "bar" =~ m/(.$tainted*)/; my $bar = $1; my $test = 'print "OK\n"' . $tainted; $test =~ m/(.*)/; $test = $1; # try to untaint eval($test); Output: Use of uninitialized value in sprintf at - line 7. Insecure dependency in eval while running with -T switch at - line 13. In a nutshell, the bug was caused by having a single line that taints and then calls a warning handler. After that, $1 becomes increasing corrupted. (Insert Devel::Peek::Dump($1) at various points to see this.) Brendan, is there anything else you need from us to get this into unstable? Will you push this upstream, or should I write to p5p myself? Chris Heath AutoWeb Communications, Inc.
--- mg.c.bad 2005-10-04 11:29:10.000000000 -0400 +++ mg.c 2005-10-04 11:39:01.000000000 -0400 @@ -768,7 +768,10 @@ getrx: if (i >= 0) { + int oldtainted = PL_tainted; + TAINT_NOT; sv_setpvn(sv, s, i); + PL_tainted = oldtainted; if (RX_MATCH_UTF8(rx) && is_utf8_string((U8*)s, i)) SvUTF8_on(sv); else