mysterious place for an insecure dependency error #14059

p5pRT · 2014-08-31T18:35:47Z

Migrated from rt.perl.org#122669 (status was 'resolved')

Searchable as RT122669$

p5pRT · 2014-08-31T18:35:47Z

From @rcaputo

Created by @rcaputo

I have a Perl one-liner that fails for "Insecure dependency in
require" at an odd place.

It mystified Matt Trout on freenode #perl, and everyone on
rhizomatic/magnet #p5p was out when I asked.

TUNING_KNOB=0 perl -T -wle 'use warnings;
use strict;
use constant KNOB => $ENV{TUNING_KNOB};
BEGIN { print 1 }
use strict;
BEGIN { print 2 }
use strict;
BEGIN { print 3 }
1 if KNOB;
BEGIN { print 4 }
use strict;
print "OK"'

The odd place is after "4" is printed and before "OK". It's as if
invoking the constant taints @INC somehow.

Setting TUNING_KNOB=1 also invokes the insecure dependency.

Omitting TUNING_KNOB entirely, eliminates the error. It may be a case
where taintedness is seeping in from %ENV to somewhere it oughtn't.
Or that tainting runs deeper than my understanding.

Perl Info


Flags:
    category=core
    severity=medium

Site configuration information for perl 5.16.2:

Configured by _mdnsresponder at Sun Aug 25 01:10:27 PDT 2013.

Summary of my perl5 (revision 5 version 16 subversion 2) configuration:

  Platform:
    osname=darwin, osvers=13.0, archname=darwin-thread-multi-2level
    uname='darwin jackson.apple.com 13.0 darwin kernel version 13.0.0: tue jul 30 20:52:22 pdt 2013; root:xnu-2422.1.53~3release_x86_64 x86_64 '
    config_args='-ds -e -Dprefix=/usr -Dccflags=-g  -pipe  -Dldflags= -Dman3ext=3pm -Duseithreads -Duseshrplib -Dinc_version_list=none -Dcc=cc'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-arch x86_64 -arch i386 -g -pipe -fno-common -DPERL_DARWIN -fno-strict-aliasing -fstack-protector -I/usr/local/include',
    optimize='-Os',
    cppflags='-g -pipe -fno-common -DPERL_DARWIN -fno-strict-aliasing -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.2.1 Compatible Apple LLVM 5.0 (clang-500.0.68)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc -mmacosx-version-min=10.9', ldflags ='-arch x86_64 -arch i386 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib
    libs=
    perllibs=
    libc=, so=dylib, useshrplib=true, libperl=libperl.dylib
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags='-arch x86_64 -arch i386 -bundle -undefined dynamic_lookup -L/usr/local/lib -fstack-protector'

Locally applied patches:
    /Library/Perl/Updates/<version> comes before system perl directories
    installprivlib and installarchlib points to the Updates directory
    CVE-2013-1667 hashtable DOS fix


@INC for perl 5.16.2:
    /Users/troc/projects/poe/poe/lib
    /Users/troc/projects/poco-client-keepalive/lib
    /Users/troc/projects/poco-client-dns/lib
    /Users/troc/projects/poco-resolver/lib
    /Users/troc/projects/poco-client-ping/lib
    /Users/troc/projects/poco-client-http/lib
    /Users/troc/projects/repo-tools/lib
    /Users/troc/projects/lex-per/lib
    /Users/troc/projects/poe/poe-test-loops/lib
    /Users/troc/projects/poe/poe-loop-event/lib
    /Users/troc/projects/poe/poe-loop-gtk/lib
    /Users/troc/projects/poe/poe-loop-tk/lib
    /Users/troc/projects/dzp-changelogfromgit/lib
    /Users/troc/projects/dzp-creditsfromgit/lib
    /Users/troc/projects/git/SVN-Dump/lib
    /Users/troc/projects/reflex/lib
    /Users/troc/projects/pod-plexus/pod-plexus/lib
    /Users/troc/projects/pod-plexus/dist-zilla-plugin-podplexus/lib
    /Users/troc/projects/pod-plexus/pod-weaver-plugin-podplexus/lib
    /Users/troc/projects/app-pipefilter/lib
    /Users/troc/projects/io-pipely/lib
    /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/lib
    /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/arch
    /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/lib
    /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/arch
    /Users/troc/Work/plixer/scrutinizer/trunk/lib
    /Users/troc/Work/plixer/scrutinizer/trunk
    /Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/lib
    /Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/arch
    /Users/troc/Work/plixer/externals/trunk/FDI/lib
    /Users/troc/Work/plixer/keygen/trunk/lib
    /Users/troc/Work/plixer/personal/lib
    /usr/local/lib/perl5
    /Library/Perl/5.16/darwin-thread-multi-2level
    /Library/Perl/5.16
    /usr/local/Cellar/subversion/1.8.4/Library/Perl/5.16/darwin-thread-multi-2level
    /usr/local/Cellar/subversion/1.8.4/Library/Perl/5.16
    /Library/Perl/5.16/darwin-thread-multi-2level
    /Library/Perl/5.16
    /Network/Library/Perl/5.16/darwin-thread-multi-2level
    /Network/Library/Perl/5.16
    /Library/Perl/Updates/5.16.2/darwin-thread-multi-2level
    /Library/Perl/Updates/5.16.2
    /System/Library/Perl/5.16/darwin-thread-multi-2level
    /System/Library/Perl/5.16
    /System/Library/Perl/Extras/5.16/darwin-thread-multi-2level
    /System/Library/Perl/Extras/5.16
    .


Environment for perl 5.16.2:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/troc
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/troc/bin:/usr/local/bin:/usr/local/sbin:/home/troc/projects/poe/poe-test-loops/bin:/home/troc/projects/app-pipefilter/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin:/usr/texbin:/home/troc/Work/plixer/personal/bin
    PERL5LIB=/Users/troc/projects/poe/poe/lib:/Users/troc/projects/poco-client-keepalive/lib:/Users/troc/projects/poco-client-dns/lib:/Users/troc/projects/poco-resolver/lib:/Users/troc/projects/poco-client-ping/lib:/Users/troc/projects/poco-client-http/lib:/Users/troc/projects/repo-tools/lib:/Users/troc/projects/lex-per/lib:/Users/troc/projects/poe/poe-test-loops/lib:/Users/troc/projects/poe/poe-loop-event/lib:/Users/troc/projects/poe/poe-loop-gtk/lib:/Users/troc/projects/poe/poe-loop-tk/lib:/Users/troc/projects/dzp-changelogfromgit/lib:/Users/troc/projects/dzp-creditsfromgit/lib:/Users/troc/projects/git/SVN-Dump/lib:/Users/troc/projects/reflex/lib:/Users/troc/projects/pod-plexus/pod-plexus/lib:/Users/troc/projects/pod-plexus/dist-zilla-plugin-podplexus/lib:/Users/troc/projects/pod-plexus/pod-weaver-plugin-podplexus/lib:/Users/troc/projects/app-pipefilter/lib:/Users/troc/projects/io-pipely/lib:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/lib:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/arch:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/lib:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/arch:/Users/troc/Work/plixer/scrutinizer/trunk/lib:/Users/troc/Work/plixer/scrutinizer/trunk:/Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/lib:/Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/arch:/Users/troc/Work/plixer/externals/trunk/FDI/lib:/Users/troc/Work/plixer/keygen/trunk/lib:/Users/troc/Work/plixer/personal/lib:/usr/local/lib/perl5:/Library/Perl/5.16:/usr/local/Cellar/subversion/1.8.4/Library/Perl/5.16:
    PERL_BADLANG (unset)
    SHELL=/bin/zsh

p5pRT · 2014-08-31T20:33:38Z

From @cpansprout

On Sun Aug 31 11:35:47 2014, rcaputo2 wrote:

This is a bug report for perl from rcaputo@cpan.org,
generated with the help of perlbug 1.39 running under perl 5.16.2.

-----------------------------------------------------------------
[Please describe your issue here]

I have a Perl one-liner that fails for "Insecure dependency in
require" at an odd place.

It mystified Matt Trout on freenode #perl, and everyone on
rhizomatic/magnet #p5p was out when I asked.

That’s not mystifying at all. :-)

Taintedness is reset at the start of execution of each statement. So if we are not executing any statements, the taintedness that results when the compiler reads KNOB to fold the ‘if KNOB’ expression extends much further than it should, causing ‘use’ to fail.

I don’t know why the BEGIN{ print 4 } doesn’t clean it, but I imagine it’s saving and restoring state, including taintedness.

I might have it fixed today.

--

Father Chrysostomos

p5pRT · 2014-08-31T20:33:39Z

The RT System itself - Status changed from 'new' to 'open'

p5pRT · 2014-08-31T20:58:07Z

From @cpansprout

On Sun Aug 31 13:33:38 2014, sprout wrote:

On Sun Aug 31 11:35:47 2014, rcaputo2 wrote:

This is a bug report for perl from rcaputo@cpan.org,
generated with the help of perlbug 1.39 running under perl 5.16.2.

-----------------------------------------------------------------
[Please describe your issue here]

I have a Perl one-liner that fails for "Insecure dependency in
require" at an odd place.

It mystified Matt Trout on freenode #perl, and everyone on
rhizomatic/magnet #p5p was out when I asked.

That’s not mystifying at all. :-)

Taintedness is reset at the start of execution of each statement. So
if we are not executing any statements, the taintedness that results
when the compiler reads KNOB to fold the ‘if KNOB’ expression extends
much further than it should, causing ‘use’ to fail.

I don’t know why the BEGIN{ print 4 } doesn’t clean it, but I imagine
it’s saving and restoring state, including taintedness.

No, actually ‘use’ *does* execute a nextstate op. It’s just that the scalar containing ‘strict.pm’ is *created* when taintedness is still in the air.

--

Father Chrysostomos

p5pRT · 2014-08-31T21:46:14Z

From @cpansprout

Fixed in 64ff300.

--

Father Chrysostomos

p5pRT · 2014-08-31T21:46:15Z

@cpansprout - Status changed from 'open' to 'pending release'

p5pRT · 2014-12-07T01:42:42Z

From @cpansprout

On Sun Aug 31 14:46:14 2014, sprout wrote:

Fixed in 64ff300.

I’ve just noticed that a fix for the test added by 64ff300 is listed in Porting/cherry-pick-votes-maint-5.20.xml on the maint-5.20-votes branch:

But the commit that added the test is not.

This is, however, a regression from an earlier version of perl (5.8.8), so 64ff300 could be a candidate for 5.20.2. And it’s a pretty annoying and baffling bug, too.

--

Father Chrysostomos

p5pRT · 2014-12-07T01:42:42Z

From [Unknown Contact. See original ticket]

On Sun Aug 31 14:46:14 2014, sprout wrote:

Fixed in 64ff300.

I’ve just noticed that a fix for the test added by 64ff300 is listed in Porting/cherry-pick-votes-maint-5.20.xml on the maint-5.20-votes branch:

But the commit that added the test is not.

This is, however, a regression from an earlier version of perl (5.8.8), so 64ff300 could be a candidate for 5.20.2. And it’s a pretty annoying and baffling bug, too.

--

Father Chrysostomos

p5pRT · 2014-12-08T13:24:13Z

From @steve-m-hay

On Sat Dec 06 17:42:42 2014, sprout wrote:

On Sun Aug 31 14:46:14 2014, sprout wrote:

Fixed in 64ff300.

I’ve just noticed that a fix for the test added by 64ff300 is
listed in Porting/cherry-pick-votes-maint-5.20.xml on the maint-5.20-
votes branch:

<commit votes="steveh" id="eaff586aa6444fb20654ed863b7ff35e136737e8"
ticket="" desc="Fix t/op/taint.t on Windows"/>

But the commit that added the test is not.

This is, however, a regression from an earlier version of perl
(5.8.8), so 64ff300 could be a candidate for 5.20.2. And it’s a
pretty annoying and baffling bug, too.

Thanks, I've added 64ff300 to the list of proposed commits.

p5pRT · 2015-02-18T17:44:36Z

From Mark.Martinec@ijs.si

Created by Mark.Martinec@ijs.si

The following program:

use strict;
use re 'taint';
$ENV{PATH} =~ /^(.)(.)(.)/;
eval 'qr/\p{IsXDigit}/; printf("OK\n")'
or die "Eval failed: $@\n";

yields:
Eval failed: Insecure dependency in printf
while running with -T switch at (eval 1) line 1.

This is possibly related to [perl #122669],
as it seems to be fixed with perl 5.20.2
(but fails on 5.20.1).

Regardless, seems prudent to localize $1, $2 and $3
in utf8::SWASHNEW so that it does not depend on
whether these global variables are tainted or not.

Perl Info


Flags:
    category=core
    severity=medium

Site configuration information for perl 5.20.1:

Configured by root at Wed Dec 17 20:24:38 UTC 2014.

Summary of my perl5 (revision 5 version 20 subversion 1) configuration:
   
  Platform:
    osname=freebsd, osvers=10.0-release, archname=amd64-freebsd-thread-multi
    uname='freebsd 10amd64-ws-default-job-01 10.0-release freebsd 10.0-release amd64 '
    config_args='-sde -Dprefix=/usr/local -Dlibperl=libperl.so.5.20.1 -Darchlib=/usr/local/lib/perl5/5.20/mach -Dprivlib=/usr/local/lib/perl5/5.20 -Dman3dir=/usr/local/lib/perl5/5.20/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/mach/5.20 -Dsitelib=/usr/local/lib/perl5/site_perl -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/site_perl/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none -Dotherlibdirs=/usr/local/lib/perl5/site_perl/5.20:/usr/local/lib/perl5/site_perl/5.20/mach -Doptimize=-g -DDEBUGGING -Ui_gdbm -Dusemultiplicity=n -Duse64bitint -Dusethreads=y -Dusemymalloc=n'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    optimize='-g',
    cppflags='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.2.1 Compatible FreeBSD Clang 3.3 (tags/RELEASE_33/final 183502)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-pthread -Wl,-E  -fstack-protector -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib /usr/include/clang/3.3 /usr/lib
    libs=-lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true, libperl=libperl.so.5.20.1
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.20/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/wrkdirs/usr/ports/lang/perl5.20/work/perl-5.20.1 -L/usr/local/lib/perl5/5.20/mach/CORE -Wl,-rpath=/usr/local/lib/perl5/5.20/mach/CORE -lperl  -L/usr/local/lib -fstack-protector'



@INC for perl 5.20.1:
    /usr/local/lib/perl5/site_perl/mach/5.20
    /usr/local/lib/perl5/site_perl
    /usr/local/lib/perl5/5.20/mach
    /usr/local/lib/perl5/5.20
    /usr/local/lib/perl5/site_perl/5.20
    /usr/local/lib/perl5/site_perl/5.20/mach
    .


Environment for perl 5.20.1:
    HOME=/home/mark
    LANG (unset)
    LANGUAGE=
    LC_ALL=en_US.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/kde4/bin/:/usr/X11R6/bin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash

p5pRT · 2015-06-02T03:41:25Z

From @khwilliamson

Thanks for submitting this ticket

The issue should be resolved with the release today of Perl v5.22. If you find that the problem persists, feel free to reopen this ticket

--
Karl Williamson for the Perl 5 porters team

p5pRT · 2015-06-02T03:41:26Z

@khwilliamson - Status changed from 'pending release' to 'resolved'

p5pRT closed this as completed Jun 2, 2015

p5pRT added Severity Medium distro-darwin type-core labels Oct 19, 2019

jkeenan mentioned this issue Oct 16, 2020

220 taint atoomic/perl#313

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mysterious place for an insecure dependency error #14059

mysterious place for an insecure dependency error #14059

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

p5pRT commented Dec 7, 2014

p5pRT commented Dec 7, 2014

p5pRT commented Dec 8, 2014

p5pRT commented Feb 18, 2015

p5pRT commented Jun 2, 2015

p5pRT commented Jun 2, 2015

mysterious place for an insecure dependency error #14059

mysterious place for an insecure dependency error #14059

Comments

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

From @rcaputo

Created by @rcaputo

p5pRT commented Aug 31, 2014

From @cpansprout

p5pRT commented Aug 31, 2014

p5pRT commented Aug 31, 2014

From @cpansprout

p5pRT commented Aug 31, 2014

From @cpansprout

p5pRT commented Aug 31, 2014

p5pRT commented Dec 7, 2014

From @cpansprout

p5pRT commented Dec 7, 2014

From [Unknown Contact. See original ticket]

p5pRT commented Dec 8, 2014

From @steve-m-hay

p5pRT commented Feb 18, 2015

From Mark.Martinec@ijs.si

Created by Mark.Martinec@ijs.si

p5pRT commented Jun 2, 2015

From @khwilliamson

p5pRT commented Jun 2, 2015