[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"

On Tue, Oct 17, 2017 at 05:44:26PM +0200, gregor herrmann wrote:
> Package: dh-make-perl
> Version: 0.95
> Severity: serious
> Tags: buster sid
> Justification: fails to build from source

> As first seen on ci.debian.net, dh-make-perl's test suite fails with
> libdpkg-perl 1.19.0 and 1.19.0.1:
> 
> Insecure dependency in eval while running with -T switch at /usr/share/perl5/Dpkg/Vendor.pm line 164.

> The -T seems to come from t/debian-version.t itself; no idea yet why
> it is a problem now and why it's used here in the first place.

It looks like Dpkg::Vendor::get_vendor_info() contents have become
tainted, probably due to changes in Dpkg::Control::HashCore. It used to
dig the values out with regexp captures but now uses split.

 https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=sid&id=9e5e03e9a6ddf74bb22ffc5ea8794a14a592d6b6

A test case is

  perl -T -MDpkg::Vendor=get_vendor_info -MScalar::Util=tainted -e 'die if tainted get_vendor_info()->{Vendor}'

which dies on libdpkg-perl 1.19.0.1 but not 1.18.24.

I don't know if the earlier untainting was accidental or intended.
Copying the dpkg maintainers.

Hope this helps a bit,
-- 
Niko
Reply to: