Hi!

On Tue, 2017-10-17 at 19:48:07 +0300, Niko Tyni wrote:
> On Tue, Oct 17, 2017 at 05:44:26PM +0200, gregor herrmann wrote:
> > Package: dh-make-perl
> > Version: 0.95
> > Severity: serious
> > Tags: buster sid
> > Justification: fails to build from source
> 
> > As first seen on ci.debian.net, dh-make-perl's test suite fails with
> > libdpkg-perl 1.19.0 and 1.19.0.1:
> > 
> > Insecure dependency in eval while running with -T switch at 
> > /usr/share/perl5/Dpkg/Vendor.pm line 164.
> 
> > The -T seems to come from t/debian-version.t itself; no idea yet why
> > it is a problem now and why it's used here in the first place.

> It looks like Dpkg::Vendor::get_vendor_info() contents have become
> tainted, probably due to changes in Dpkg::Control::HashCore. It used to
> dig the values out with regexp captures but now uses split.
> 
>  
> https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=sid&id=9e5e03e9a6ddf74bb22ffc5ea8794a14a592d6b6
> 
> A test case is
> 
>   perl -T -MDpkg::Vendor=get_vendor_info -MScalar::Util=tainted -e 'die if 
> tainted get_vendor_info()->{Vendor}'
> 
> which dies on libdpkg-perl 1.19.0.1 but not 1.18.24.
> 
> I don't know if the earlier untainting was accidental or intended.
> Copying the dpkg maintainers.

TBH, I was not aware that anyone was running Dpkg modules in taint
mode. And I don't think anyone has writen code for the modules with
that in mind. I'm not sure either how much of it is taint clean, for
example.

If people are really running this code in taint mode, I'm willing to
discuss which parts of the API would make sense to cover or not, and
what tradeoffs related to performance to take, etc.

Thanks,
Guillem

Reply via email to