From ksparger@dialtoneinternet.net

while ($zone[$i] =~ /(\d+)/go)
{
  # Sure as hell don't want anything after ;
  if ($` !~ /;/)
  {
  # push matching items into @​timeargs
  push(@​timeargs, $1);
  }
}

Notes​:

Basically, what happens is, it goes into an infinate loop where it appears
that the search position gets reset.

It works as of perl-5.004-4 (redhat's 5.0 or 5.1 RPM)
It ceases to work as of perl-5.00503-2 (redhat's 6.0 RPM)

Primarily, what's at issue is whether the change was intended or not -- I
didn't find a reference to it in the change logs.

I talked to someone about it, and he feels matching against $`
modifies the original target string in the while loop, which resets the
position -- which ultimately causes the problem.

I'm not so sure about this, as I find the logic that would cause matching
against $` to modify the original string somewhat dubious.

Also, since I'm not on any of the perl mailing lists, if you could let me
know as to the final decision, that would be excellent. This has been
bothering me for several weeks, and I finally just got the gumption to
mail you gents (and ladies?).

Thanks,

Kyle Sparger - Senior System Administrator
Dialtone Internet - Extremely Fast Web Systems
(954) 581-0097 - Voice (954) 581-7629 - Fax
ksparger@​dialtoneinternet.net
http​://www.dialtoneinternet.net

From [Unknown Contact. See original ticket]

On Thu, 21 Oct 1999, Kyle Sparger wrote​:

while ($zone[$i] =~ /(\d+)/go)
{
# Sure as hell don't want anything after ;
if ($` !~ /;/)
{
# push matching items into @​timeargs
push(@​timeargs, $1);
}
}

Basically, what happens is, it goes into an infinate loop where it
appears that the search position gets reset.

It works as of perl-5.004-4 (redhat's 5.0 or 5.1 RPM)
It ceases to work as of perl-5.00503-2 (redhat's 6.0 RPM)

Could you make a small stand-alone program which shows the different
behavior under different perl versions? I couldn't make the code above do
anything unexpected on my machine. But maybe that's because I didn't use
the same string as you did.

Cheers!

--
Tom Phoenix Perl Training and Hacking Esperanto
Randal Schwartz Case​: http​://www.rahul.net/jeffrey/ovs/

From [Unknown Contact. See original ticket]

It looks like I left out some important information, but the trigger
condition had some additional conditions I wasn't really aware of until
just now, when I moved the code out of the bigger program. I'm left
wondering if I'm on drugs, and what other pertinent information I'm
missing.

The program has to be mode 4755, owned by root.

I'm consistantly able to force the attached program into an infinate loop
at line 30.

Note that the program works fine when it's run by the same user it's
setuid as, but as any other user, it breaks. Is this a security feature?
I'm not sure.

"test.dom" is a sample input file the program uses.

Thanks,

Kyle Sparger

On Fri, 22 Oct 1999, Tom Phoenix wrote​:

On Thu, 21 Oct 1999, Kyle Sparger wrote​:

while ($zone[$i] =~ /(\d+)/go)
{
# Sure as hell don't want anything after ;
if ($` !~ /;/)
{
# push matching items into @​timeargs
push(@​timeargs, $1);
}
}

Basically, what happens is, it goes into an infinate loop where it
appears that the search position gets reset.

It works as of perl-5.004-4 (redhat's 5.0 or 5.1 RPM)
It ceases to work as of perl-5.00503-2 (redhat's 6.0 RPM)

Could you make a small stand-alone program which shows the different
behavior under different perl versions? I couldn't make the code above do
anything unexpected on my machine. But maybe that's because I didn't use
the same string as you did.

Cheers!

--
Tom Phoenix Perl Training and Hacking Esperanto
Randal Schwartz Case​: http​://www.rahul.net/jeffrey/ovs/

From [Unknown Contact. See original ticket]

;authoritative data for test.dom
@​ IN SOA test.dom. root.test.dom.
  (
  1999062100 ;Serial Number​: YYYYMMDDxx
  10800 ;Refresh time
  3600 ;Retry Time
  604800 ;Time
  86400 ;Minimum TTL
  )
  IN NS test.dom.
  IN NS test.dom.
  IN MX 10 mail
  IN A 10.0.1.100
www IN A 10.0.1.100
ftp IN A 10.0.1.100
mail IN A 10.0.1.100

From [Unknown Contact. See original ticket]

test.pl

From [Unknown Contact. See original ticket]

On Mon, 25 Oct 1999, Kyle Sparger wrote​:

The program has to be mode 4755, owned by root.

I'm consistantly able to force the attached program into an infinate
loop at line 30.

Note that the program works fine when it's run by the same user it's
setuid as, but as any other user, it breaks.

Okay, we're getting closer. Now, could you cut your test code down to the
smallest possible test case which shows the behavior? Ideally, it should
be no more than five or ten lines, and it should use no external data.

This should allow us to rule out most idiosyncracies of your machine or
configuration.

Thanks!

--
Tom Phoenix Perl Training and Hacking Esperanto
Randal Schwartz Case​: http​://www.rahul.net/jeffrey/ovs/

From [Unknown Contact. See original ticket]

Okay, well, unfortunately, I was NOT able to cut out the fact that it
needs outside input. The current program exhibiting the behavior is​:

#!/usr/bin/perl -w

open(ZONE, 'test.dom');
@​zone = <ZONE>;

while ($zone[0] =~ /(\d+)/g)
{
  push(@​timeargs,$1);
}

test.dom contains​:

1234567 2345678 3456789 4567891 5678912

A few interesting notes​:

  If I explicitly declare @​zone (as follows), the program
  functions as expected -- it only goes into the endless loop if I
  read in the data.

  @​zone = ( '1234567 2345678 3456789 4567891 5678912' );

  It seems that the program will not lock if test.dom contains only
  data which will not match.

  If I assign $zone[0] to $line (for example), and replace the while
  test condition with the following, the program works as expected.

  while ($line =~ /(\d+)/g)

  And, to reiterate​:
  1. If the program is not setuid, it runs normally,
  regardless of who runs it.
  2. If the program is suid, and is run by it's owner, it
  runs normally.
  3. If the program is suid, and is is run by a user that is
  not it's owner, it goes into an endless loop, endlessly
  matching the first match.
  4. It works as of perl-5.004-4 (redhat's 5.0 or 5.1 RPM)
  5. It ceases to work as of perl-5.00503-2 (redhat's 6.0
  RPM)

Thanks,

Kyle Sparger

From [Unknown Contact. See original ticket]

On Tue, 26 Oct 1999, Kyle Sparger wrote​:

@​zone = <ZONE>;

If I explicitly declare @​zone \(as follows\)\, the program
functions as expected \-\- it only goes into the endless loop if I
read in the data\.

    @​zone = \( '1234567 2345678 3456789 4567891 5678912' \);

Could it be a newline at the end of the data that makes the difference?
(It's also worth checking that there aren't other hidden control
characters in the data file.) Does this line cause the infinite loop?

  @​zone = ( "1234567 2345678 3456789 4567891 5678912\n" );

    5\. It ceases to work as of perl\-5\.00503\-2 \(redhat's 6\.0
    RPM\)

Could that be miscompiled? If you build 5.005_03 yourself (with set-id
emulation support, of course), does it still exhibit the problem? You'll
probably have to "make install" to find out.

Meanwhile, I'll try to replicate the problem on my own Linux machine which
doesn't use that RPM.

Thanks!

--
Tom Phoenix Perl Training and Hacking Esperanto
Randal Schwartz Case​: http​://www.rahul.net/jeffrey/ovs/

From [Unknown Contact. See original ticket]

Could it be a newline at the end of the data that makes the difference?
(It's also worth checking that there aren't other hidden control
characters in the data file.) Does this line cause the infinite loop?

Nope, adding the newline doesn't trigger the loop.

Could that be miscompiled? If you build 5.005_03 yourself (with set-id
emulation support, of course), does it still exhibit the problem? You'll
probably have to "make install" to find out.

It's possible. I don't have the time right now to go through the process
of installing perl from scratch right this instant. (I'm working off
an old pentium-class with not much RAM [and I gotta work on this
machine!]) I'll see if I can make it, though. I would doubt that it's
miscompiled, though -- you'd think that a lot of people would be
complaining and that it would affect more than just this single case.
I'll see what I can do; don't hold your breath though :(

Thanks,

Kyle Sparger

On Tue, 26 Oct 1999, Tom Phoenix wrote​:

On Tue, 26 Oct 1999, Kyle Sparger wrote​:

@​zone = <ZONE>;

If I explicitly declare @​zone \(as follows\)\, the program
functions as expected \-\- it only goes into the endless loop if I
read in the data\.

    @​zone = \( '1234567 2345678 3456789 4567891 5678912' \);

Could it be a newline at the end of the data that makes the difference?
(It's also worth checking that there aren't other hidden control
characters in the data file.) Does this line cause the infinite loop?

     @​zone = \( "1234567 2345678 3456789 4567891 5678912\\n" \);

    5\. It ceases to work as of perl\-5\.00503\-2 \(redhat's 6\.0
    RPM\)

Could that be miscompiled? If you build 5.005_03 yourself (with set-id
emulation support, of course), does it still exhibit the problem? You'll
probably have to "make install" to find out.

Meanwhile, I'll try to replicate the problem on my own Linux machine which
doesn't use that RPM.

Thanks!

--
Tom Phoenix Perl Training and Hacking Esperanto
Randal Schwartz Case​: http​://www.rahul.net/jeffrey/ovs/