Bug #114819 for Net-DNS: Net::DNS Fails to compile with taint checks enabled

Sun May 29 20:47:40 2016 mbradshaw [...] cpan.org - Ticket created

Subject:

Net::DNS Fails to compile with taint checks enabled

$ perl -MNet::DNS -T Insecure dependency in require while running with -T switch at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/Base.pm line 570. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/Base.pm line 570. Compilation failed in require at (eval 15) line 2. ...propagated at /usr/share/perl/5.18/base.pm line 83. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/UNIX.pm line 18. Compilation failed in require at (eval 14) line 2. ...propagated at /usr/share/perl/5.18/base.pm line 83. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver.pm line 22. Compilation failed in require at /usr/local/share/perl/5.18.2/Net/DNS.pm line 51. Compilation failed in require. BEGIN failed--compilation aborted. Seems to happen with perl 5.20 and below

Sun May 29 20:58:37 2016 mbradshaw [...] cpan.org - Correspondence added

Issue presents with Net::DNS 1.06, but is not present in 1.05 $ cpanm Net::DNS@1.05 --> Working on Net::DNS Fetching http://www.cpan.org/authors/id/N/NL/NLNETLABS/Net-DNS-1.05.tar.gz ... OK Configuring Net-DNS-1.05 ... OK Building and testing Net-DNS-1.05 ... OK Successfully installed Net-DNS-1.05 (downgraded from 1.06) 1 distribution installed ~$ perl -T -MNet::DNS ^C $

Mon May 30 13:41:08 2016 rwfranks [...] acm.org - Correspondence added

From:

rwfranks [...] acm.org

On Sun May 29 20:58:37 2016, MBRADSHAW wrote: Show quoted text

> Issue presents with Net::DNS 1.06, but is not present in 1.05 > > $ cpanm Net::DNS@1.05 > --> Working on Net::DNS > Fetching http://www.cpan.org/authors/id/N/NL/NLNETLABS/Net-DNS- > 1.05.tar.gz ... OK > Configuring Net-DNS-1.05 ... OK > Building and testing Net-DNS-1.05 ... OK > Successfully installed Net-DNS-1.05 (downgraded from 1.06) > 1 distribution installed > ~$ perl -T -MNet::DNS > ^C > $

Your one-liner got nowhere because it attempting to compile a script from STDIN. ^D would have put it out of its misery. The problem is not repeatable using this script: #!/usr/bin/perl -T use strict; use Net::DNS; my $resolver = new Net::DNS::Resolver(); $resolver->print; If this fails for you, we will need to know what config file you are using or if RES_NAMESERVERS environment variable is set.

Mon May 30 13:41:10 2016 The RT System itself - Status changed from 'new' to 'open'

Mon May 30 19:12:26 2016 mbradshaw [...] cpan.org - Correspondence added

Indeed, the one liner shows that 1.05 is working, see the entry above for the failure with 1.06. (Copied here) $ perl -MNet::DNS -T Insecure dependency in require while running with -T switch at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/Base.pm line 570. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/Base.pm line 570. Compilation failed in require at (eval 15) line 2. ...propagated at /usr/share/perl/5.18/base.pm line 83. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/UNIX.pm line 18. Compilation failed in require at (eval 14) line 2. ...propagated at /usr/share/perl/5.18/base.pm line 83. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver.pm line 22. Compilation failed in require at /usr/local/share/perl/5.18.2/Net/DNS.pm line 51. Compilation failed in require. BEGIN failed--compilation aborted. Seems to happen with perl 5.20 and below I have not set a config file, nor is that environment variable set. Output of the supplied script when using Net::DNS 1.06 follows showing the error. $ ./test.pl Insecure dependency in require while running with -T switch at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/Base.pm line 570. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/Base.pm line 570. Compilation failed in require at (eval 15) line 2. ...propagated at /usr/share/perl/5.18/base.pm line 83. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver/UNIX.pm line 18. Compilation failed in require at (eval 14) line 2. ...propagated at /usr/share/perl/5.18/base.pm line 83. BEGIN failed--compilation aborted at /usr/local/share/perl/5.18.2/Net/DNS/Resolver.pm line 22. Compilation failed in require at /usr/local/share/perl/5.18.2/Net/DNS.pm line 51. Compilation failed in require at ./test.pl line 4. BEGIN failed--compilation aborted at ./test.pl line 4. For reference, the output of the script while running with Net::DNS 1.05 follows ;; RESOLVER state: ;; domain = mel ;; searchlist = mel ;; nameservers = 127.0.1.1 ;; defnames = 1 dnsrch = 1 ;; retrans = 5 retry = 4 ;; recurse = 1 igntc = 0 ;; usevc = 0 port = 53 ;; tcp_timeout = 120 persistent_tcp = 0 ;; udp_timeout = 30 persistent_udp = 0 ;; prefer_v4 = 1 force_v4 = 0 ;; debug = 0 force_v6 = 0 On Mon May 30 13:41:08 2016, rwfranks@acm.org wrote: Show quoted text

> On Sun May 29 20:58:37 2016, MBRADSHAW wrote:

> > Issue presents with Net::DNS 1.06, but is not present in 1.05 > > > > $ cpanm Net::DNS@1.05 > > --> Working on Net::DNS > > Fetching http://www.cpan.org/authors/id/N/NL/NLNETLABS/Net-DNS- > > 1.05.tar.gz ... OK > > Configuring Net-DNS-1.05 ... OK > > Building and testing Net-DNS-1.05 ... OK > > Successfully installed Net-DNS-1.05 (downgraded from 1.06) > > 1 distribution installed > > ~$ perl -T -MNet::DNS > > ^C > > $

> > Your one-liner got nowhere because it attempting to compile a script > from STDIN. ^D would have put it out of its misery. > > > The problem is not repeatable using this script: > > #!/usr/bin/perl -T > > use strict; > use Net::DNS; > > my $resolver = new Net::DNS::Resolver(); > $resolver->print; > > > If this fails for you, we will need to know what config file you are > using or if RES_NAMESERVERS environment variable is set.

Tue May 31 08:30:40 2016 rwfranks [...] acm.org - Correspondence added

From:

rwfranks [...] acm.org

I apologise for missing the bit about this happening only on 5.20 and earlier. Using 5.18.4, which is as close as I can conveniently get to your scenario, the optimiser gets its knickers in a knot. The following patch offers immediate relief. This works for 5.18.4 but portability issues remain. --- /home/rwf/svn/net-dns/lib/Net/DNS/Resolver/Base.pm 2016-05-22 08:50:39.181901000 +0100 +++ ./Base.pm 2016-05-31 10:12:29.214324682 +0100 @@ -52,8 +52,7 @@ use constant SOCKS => scalar eval 'require Config; $Config::Config{usesocks}'; -use constant UTIL => defined eval 'require Scalar::Util'; -use constant TAINT => UTIL && scalar eval 'Scalar::Util::tainted( $ENV{PATH} )'; +use constant TAINT => scalar eval 'require Scalar::Util; ${^TAINT}'; sub _untaint { map { m/^(.*)$/; $1 } grep defined, @_;

Tue May 31 20:52:52 2016 mbradshaw [...] cpan.org - Correspondence added

Thanks. On Tue May 31 08:30:40 2016, rwfranks@acm.org wrote: Show quoted text

> I apologise for missing the bit about this happening only on 5.20 and > earlier. > > Using 5.18.4, which is as close as I can conveniently get to your > scenario, the optimiser gets its knickers in a knot. > > The following patch offers immediate relief. This works for 5.18.4 but > portability issues remain. > > > --- /home/rwf/svn/net-dns/lib/Net/DNS/Resolver/Base.pm 2016-05-22 > 08:50:39.181901000 +0100 > +++ ./Base.pm 2016-05-31 10:12:29.214324682 +0100 > @@ -52,8 +52,7 @@ > use constant SOCKS => scalar eval 'require Config; > $Config::Config{usesocks}'; > > > -use constant UTIL => defined eval 'require Scalar::Util'; > -use constant TAINT => UTIL && scalar eval 'Scalar::Util::tainted( > $ENV{PATH} )'; > +use constant TAINT => scalar eval 'require Scalar::Util; ${^TAINT}'; > > sub _untaint { > map { m/^(.*)$/; $1 } grep defined, @_;

Tue Jun 07 05:09:41 2016 NLNETLABS [...] cpan.org - Correspondence added

This is fixed in the upcoming 1.07 release of Net::DNS

Tue Jun 07 05:09:42 2016 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'

Mon Jun 20 10:39:20 2016 anothermail2006 [...] gmx.de - Ticket #115482: Ticket created

Subject:	Insecure dependency in require while running with -T switch at /usr/local/share/perl5/Net/DNS/Resolver/Base.pm
Date:	Mon, 20 Jun 2016 16:39:06 +0200
To:	bug-Net-DNS [...] rt.cpan.org
From:	Daniel <anothermail2006 [...] gmx.de>

Dear Sir or Madame, I experience a bug with Net::DNS after updating to the newest version (1.06). My software worked fine before that. Using the module with -T switch resulsts in the following warning: "Insecure dependency in require while running with -T switch at /usr/local/share/perl5/Net/DNS/Resolver/Base.pm" A code example to reproduce this is simple: #!/usr/bin/perl -Tw use Net::DNS; print "hallo\n"; The result is the same for a Ubuntu 14.04 machine, and also for a freshly installed centOS7. All I did on the latter is install cpan (using yum) and install Net::DNS using CPAN. I would highly appreciate your help. Information needed (for the centOS machine) perl -V output: Summary of my perl5 (revision 5 version 16 subversion 3) configuration: Platform: osname=linux, osvers=2.6.32-220.17.1.el6.x86_64, archname=x86_64-linux-thread-multi uname='linux worker1.bsys.centos.org 2.6.32-220.17.1.el6.x86_64 #1 smp wed may 16 00:01:37 bst 2012 x86_64 x86_64 x86_64 gnulinux ' config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Dccdlflags=-Wl,--enable-new-dtags -Dlddlflags=-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro -DDEBUGGING=-g -Dversion=5.16.3 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5 -Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl -Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl -Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Duseshrplib -Dusethreads -Duseithreads -Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dusesitecustomize' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.8.5 20150623 (Red Hat 4.8.5-4)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='gcc', ldflags =' -fstack-protector' libpth=/usr/local/lib64 /lib64 /usr/lib64 libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.17' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/perl5/CORE' cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro ' Characteristics of this binary (from libperl): Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF USE_REENTRANT_API USE_SITECUSTOMIZE Locally applied patches: Fedora Patch1: Removes date check, Fedora/RHEL specific Fedora Patch3: support for libdir64 Fedora Patch4: use libresolv instead of libbind Fedora Patch5: USE_MM_LD_RUN_PATH Fedora Patch6: Skip hostname tests, due to builders not being network capable Fedora Patch7: Dont run one io test due to random builder failures Fedora Patch9: Fix find2perl to translate ? glob properly (RT#113054) Fedora Patch10: Fix broken atof (RT#109318) Fedora Patch13: Clear $@ before "do" I/O error (RT#113730) Fedora Patch14: Do not truncate syscall() return value to 32 bits (RT#113980) Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530) Fedora Patch16: Do not leak with attribute on my variable (RT#114764) Fedora Patch17: Allow operator after numeric keyword argument (RT#105924) Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984) Fedora Patch19: Do not crash when vivifying $| Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329) Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396) Fedora Patch22: Fix leaking tied hashes (RT#107000) [1] Fedora Patch23: Fix leaking tied hashes (RT#107000) [2] Fedora Patch24: Fix leaking tied hashes (RT#107000) [3] Fedora Patch25: Fix dead lock in PerlIO after fork from thread (RT#106212) Fedora Patch26: Make regexp safe in a signal handler (RT#114878) Fedora Patch27: Update h2ph(1) documentation (RT#117647) Fedora Patch28: Update pod2html(1) documentation (RT#117623) Fedora Patch29: Document Math::BigInt::CalcEmu requires Math::BigInt (CPAN RT#85015) RHEL Patch30: Use stronger algorithm needed for FIPS in t/op/crypt.t (RT#121591) RHEL Patch31: Make *DBM_File desctructors thread-safe (RT#61912) RHEL Patch32: Use stronger algorithm needed for FIPS in t/op/taint.t (RT#123338) RHEL Patch33: Remove CPU-speed-sensitive test in Benchmark test Built under linux Compiled at Nov 20 2015 03:29:53 @INC: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . Output uname -a: Linux *machineNameRemoved* 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Distribution name and version: LSB Version: :core-4.1-amd64:core-4.1-noarch Linux version 3.10.0-327.10.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Feb 16 17:03:50 UTC 2016 CentOS Linux release 7.2.1511 (Core) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" CentOS Linux release 7.2.1511 (Core) CentOS Linux release 7.2.1511 (Core) Thanks a lot in advance! With kind regards, Daniel

Tue Jun 21 11:51:22 2016 rwfranks [...] acm.org - Ticket #115482: Correspondence added

From:

rwfranks [...] acm.org

On Mon Jun 20 10:39:20 2016, anothermail2006@gmx.de wrote: Show quoted text

> I experience a bug with Net::DNS after updating to the newest version > (1.06). My software worked fine before that.

Daniel, The 1.06 code tickles a compiler problem which I confess not to fully understand. This is the same issue as RT#114819, which is fixed on trunk but not yet in a dev release. The RT contains a patch to work around the problem. Perhaps that RT should have been left open. Thanks for the report, and sorry for the inconvenience. Dick

Tue Jun 21 11:51:23 2016 The RT System itself - Ticket #115482: Status changed from 'new' to 'open'

Mon Aug 22 04:12:08 2016 NLNETLABS [...] cpan.org - Ticket #115482: Merged into ticket #114819

Mon Aug 22 04:12:08 2016 NLNETLABS [...] cpan.org - Merged into ticket #114819

Mon Aug 22 04:12:28 2016 NLNETLABS [...] cpan.org - Status changed from 'resolved' to 'open'

Mon Aug 22 04:14:43 2016 NLNETLABS [...] cpan.org - Correspondence added

On Tue Jun 21 11:51:22 2016, rwfranks@acm.org wrote: Show quoted text

> Perhaps that RT should have been left open.

I merged this into 114819 (reopened) to expose the patch. Show quoted text

> > Thanks for the report, and sorry for the inconvenience. > > Dick > > > >

Sun Sep 25 07:07:33 2016 cpan.org [...] salvisberg.com - Correspondence added

Subject:	Net::DNS Fails to compile with taint checks enabled (FIXED!)
From:	cpan.org [...] salvisberg.com

I had this problem on Ubuntu 14.04 with Perl 5.18.2 when trying to run qpsmtpd, and this patch has solved it. Thanks!

Fri Dec 30 04:35:17 2016 NLNETLABS [...] cpan.org - Correspondence added

Fixed in 1.07

Fri Dec 30 04:35:19 2016 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'