Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"

To: 878901@bugs.debian.org
Cc: dpkg@packages.debian.org
Subject: Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
From: Damyan Ivanov <dmn@debian.org>
Date: Wed, 18 Oct 2017 20:20:16 +0000
Message-id: <[🔎] 20171018202016.s2gr3kh4pze3b26p@ktnx.net>
In-reply-to: <[🔎] 20171017201631.ba3fdyqn7jssosae@gaara.hadrons.org>
References: <150825506636.5583.6827814574149091480.reportbug@jadzia.comodo.priv.at> <[🔎] 20171017164807.qmvldb7lsqceualy@estella.local.invalid> <150825506636.5583.6827814574149091480.reportbug@jadzia.comodo.priv.at> <[🔎] 20171017201631.ba3fdyqn7jssosae@gaara.hadrons.org>

-=| Guillem Jover, 17.10.2017 22:16:31 +0200 |=-
> On Tue, 2017-10-17 at 19:48:07 +0300, Niko Tyni wrote:
> > It looks like Dpkg::Vendor::get_vendor_info() contents have become
> > tainted, probably due to changes in Dpkg::Control::HashCore. It used to
> > dig the values out with regexp captures but now uses split.
> > 
> >  https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=sid&id=9e5e03e9a6ddf74bb22ffc5ea8794a14a592d6b6
> > 
> > A test case is
> > 
> >   perl -T -MDpkg::Vendor=get_vendor_info -MScalar::Util=tainted -e 'die if tainted get_vendor_info()->{Vendor}'
> > 
> > which dies on libdpkg-perl 1.19.0.1 but not 1.18.24.
> > 
> > I don't know if the earlier untainting was accidental or intended.
> > Copying the dpkg maintainers.
> 
> TBH, I was not aware that anyone was running Dpkg modules in taint
> mode. And I don't think anyone has writen code for the modules with
> that in mind. I'm not sure either how much of it is taint clean, for
> example.
> 
> If people are really running this code in taint mode, I'm willing to
> discuss which parts of the API would make sense to cover or not, and
> what tradeoffs related to performance to take, etc.

I think that using taint mode wasn't justified in that one case, so 
imposing that on Dpkg::* would not be necessary.

During discussion, Matt S. Trout suggested on IRC that the check for 
a valid package name is better written as $input =~ 
/\A([A-Za-z]\w*(?:::\w+)*)\Z/. If no hierarchy is possible, then 
/\A([A-Za-z]\w*/ would be enough.

(Perhaps this belongs to the place where $name is interpreted as 
a module name, not when parsing generic label:value lines).

That may be considered nitpicking, especially without a view on the 
big picture, but I'd rather mention it here in case it is useful.

-- dam

Reply to:

Follow-Ups:
- Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
  - From: Damyan Ivanov <dmn@debian.org>

References:
- Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
  - From: Niko Tyni <ntyni@debian.org>
- Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Build failed in Jenkins: dpkg-source #538
Next by Date: [benjamin.nickolls@gmail.com: [FOSDEM] FOSDEM 2018 Package management devroom]
Previous by thread: Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
Next by thread: Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
Index(es):
- Date
- Thread