Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Locale-Maketext CPAN distribution.

Report information
The Basics
Id: 5521
Status: rejected
Priority: 0/
Queue: Locale-Maketext
People
Owner: Nobody in particular
Requestors: jesse [...] bestpractical.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)
Attachments
PGP.sig

History Show all quoted text
  Mon Mar 01 17:18:05 2004 jesse [...] bestpractical.com - Ticket created
From: Jesse Vincent <jesse [...] bestpractical.com>
Subject: setgid taint error
Date: Mon, 1 Mar 2004 17:17:59 -0500
To: bug-locale-maketext [...] rt.cpan.org
Begin forwarded message: Show quoted text
> From: Alex Soares de Moura <alex@rnp.br> > Date: March 1, 2004 10:33:18 AM EST > To: rt-users@lists.fsck.com > Cc: Subject: [rt-users] [Fwd: RT] > > Hello, > > Suddenly, this morning the RT of our production server started showing > the error below accessing the RT web interface: > > ----------------------------------------------------------------------- > --------------------- > error: Insecure dependency in eval while running setgid at > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext/Guts.pm line 247. > context: ... 243: unshift @code, "use strict; sub {\n"; > 244: push @code, "}\n"; > 245: 246: print @code if DEBUG; > 247: my $sub = eval(join '', @code); > 248: die "$@ while evalling" . join('', @code) if $@; # Should be > impossible. > 249: return $sub; > 250: } > 251: ... code stack: > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext/Guts.pm:247 > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext.pm:196 > /opt/rt3/lib/RT/CurrentUser.pm:360 > /opt/rt3/lib/RT/Interface/Web.pm:215 > /opt/rt3/share/html/Elements/Login:44 > /opt/rt3/share/html/autohandler:195 > raw error > <http://200.17.63.80/rt/ > #raw>------------------------------------------------------------------ > -------------------------- > Environment: > FreeBSD 4.9-STABLE, rt-3.0.8, rtir-1-0-2, mysql-server-4.0.17, > p5-DBIx-SearchBuilder-0.96, p5-FastCGI-0.67. > ----------------------------------------------------------------------- > --------------------- > > The only reference I've found in the list archive was this: > http://marc.free.net.ph/message/20040109.110507.a020d925.html > > but the followup isn't a solution for us. To change the fastcgi to > mod_perl would be a undesirable change in the environment that's been > working well and stable for a couple of months. > > I'm even afraid of restarting the apache and/or the mysql servers > once some of the users that logged in early in the morning are > accessing without problems (me included). Only the users that are > trying to log in since an hour ago are having this error message > displayed. > ------- > > Last min. update: the problem misteriously disappeared while I was > writing this email. Go figure... > > Alex > _______________________________________________ > rt-users mailing list > rt-users@lists.bestpractical.com > http://lists.bestpractical.com/mailman/listinfo/rt-users > > Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm >
Download PGP.sig
application/pgp-signature 186b

Message body not shown because it is not plain text.

  Tue Mar 02 00:06:16 2004 sburke [...] cpan.org - Correspondence added
Man alive, this is a strange error. Altho Locele::Maketext::Guts::_compile is a big scare routine that defies merely glancing at, it sure looks to me like every single bit of data that it ends up evalling starts out either as a Perl string literal, or as a $1 gotten from the regexp that starts in the line "while($_[1] =~ # Iterate over chunks." Either way, I don't see how the data could be tainted, and I don't know what should be done. Can anyone give me an example of _compile input and/or @code contents that cause this error?
  Tue Mar 02 00:13:51 2004 sburke [...] cpan.org - Correspondence added
Hm, maybe changing the my $sub = eval(join '', @code); line to my $sub = eval { eval(join '', @code) || die $@ }; would at least allow a clearer error message (I think). Anyone want to try this and let me know what they see?
  Tue Mar 02 00:21:40 2004 jesse [...] bestpractical.com - Correspondence added
CC: bug-Locale-Maketext [...] rt.cpan.org
From: Jesse Vincent <jesse [...] bestpractical.com>
Subject: [cpan #5521] setgid taint error in Locale-Maketext
Date: Tue, 2 Mar 2004 00:21:20 -0500
To: RT Developers Mailing List <rt-devel [...] lists.fsck.com>
RT-Send-Cc:
Can anyone try sean's recommendation and get a more solid error report? Begin forwarded message: Show quoted text
> From: " via RT" <comment-Locale-Maketext@rt.cpan.org> > Date: March 2, 2004 12:13:51 AM EST > To: jesse@bestpractical.com > Subject: [cpan #5521] setgid taint error > Reply-To: comment-Locale-Maketext@rt.cpan.org > > Full context and any attached attachments can be found at: > <URL: http://rt.cpan.org/NoAuth/Bug.html?id=5521 > > > Hm, maybe changing the my $sub = eval(join '', @code); line to > my $sub = eval { eval(join '', @code) || die $@ }; > would at least allow a clearer error message (I think). Anyone want to > try this and let me know what they see? >
  Mon Mar 22 10:14:39 2004 m-liebman [...] northwestern.edu - Correspondence added
Date: Mon, 22 Mar 2004 10:14:14 -0500
From: "Michael S. Liebman" <m-liebman [...] northwestern.edu>
To: Jesse Vincent <jesse [...] bestpractical.com>
CC: RT Developers Mailing List <rt-devel [...] lists.fsck.com>, bug-Locale-Maketext [...] rt.cpan.org
Subject: Re: [rt-devel] [cpan #5521] setgid taint error in Locale-Maketext
RT-Send-Cc:
On Tue, Mar 02, 2004 at 12:21:20AM -0500, Jesse Vincent wrote: Show quoted text
> Can anyone try sean's recommendation and get a more solid error > report?
Finally had the problem recur after I made the change. Here is the error I'm receiving now. System error error: Insecure dependency in eval while running setgid at /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm line 247. Stack: [/usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:247] [/usr/lib/perl5/5.8.3/Locale/Maketext.pm:195] [/opt/rt3/lib/RT/CurrentUser.pm:360] [/opt/rt3/lib/RT/Interface/Web.pm:217] [/opt/rt3/local/html/Ticket/Update.html:149] [/opt/rt3/share/html/autohandler:195] while evallinguse strict; sub { join '', 'Update ticket #', ($_[1], ), ' (', ($_[2], ), ')', } context: ... 244: push @code, "}\n"; 245: 246: print @code if DEBUG; 247: my $sub = eval { eval(join '', @code) || die $@ }; 248: die "$@ while evalling" . join('', @code) if $@; # Should be impossible. 249: return $sub; 250: } 251: 252: # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ... code stack: /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:248 /usr/lib/perl5/5.8.3/Locale/Maketext.pm:195 /opt/rt3/lib/RT/CurrentUser.pm:360 /opt/rt3/lib/RT/Interface/Web.pm:217 /opt/rt3/local/html/Ticket/Update.html:149 /opt/rt3/share/html/autohandler:195 Michael -- Michael S. Liebman m-liebman@northwestern.edu http://msl521.freeshell.org/ "I have vision and the rest of the world wears bifocals." -Paul Newman in "Butch Cassidy & the Sundance Kid"
  Tue Apr 06 11:08:33 2004 Guest - Correspondence added
From: graeme [...] raspberry.co.za
Hi all, The line --snip-snip-- my $sub = eval(join '', @code); --snip-snip-- is highlited in my error page, suggesting the "eval" is not allowed when PERL is running setgid. I reckon that's going to be difficult to change, so maybe Locale::Maketext can be changed so as not to use the "eval" function instead? Thanks, Graeme [m-liebman@northwestern.edu - Mon Mar 22 10:14:39 2004]: Show quoted text
> On Tue, Mar 02, 2004 at 12:21:20AM -0500, Jesse Vincent wrote:
> > Can anyone try sean's recommendation and get a more solid error > > report?
> > Finally had the problem recur after I made the change. Here is the > error I'm receiving now. > > System error > error: Insecure dependency in eval while running setgid at > /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm line 247. > > Stack: > [/usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:247] > [/usr/lib/perl5/5.8.3/Locale/Maketext.pm:195] > [/opt/rt3/lib/RT/CurrentUser.pm:360] > [/opt/rt3/lib/RT/Interface/Web.pm:217] > [/opt/rt3/local/html/Ticket/Update.html:149] > [/opt/rt3/share/html/autohandler:195] > while evallinguse strict; sub { > join '', > 'Update ticket #', > ($_[1], ), > ' (', > ($_[2], ), > ')', > } > context: > ... > 244: push @code, "}\n"; > 245: > 246: print @code if DEBUG; > 247: my $sub = eval { eval(join '', @code) || die $@ }; > 248: die "$@ while evalling" . join('', @code) if $@; #
Should be Show quoted text
> impossible. > 249: return $sub; > 250: } > 251: > 252: # - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - Show quoted text
> - - - - - - > ... > code stack: /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:248 > /usr/lib/perl5/5.8.3/Locale/Maketext.pm:195 > /opt/rt3/lib/RT/CurrentUser.pm:360 > /opt/rt3/lib/RT/Interface/Web.pm:217 > /opt/rt3/local/html/Ticket/Update.html:149 > /opt/rt3/share/html/autohandler:195 > > Michael
  Thu Oct 07 08:28:33 2010 TODDR [...] cpan.org - Status changed from 'new' to 'stalled'
  Sun Jan 15 00:07:07 2012 TODDR [...] cpan.org - Correspondence added
RT-Send-CC: graeme [...] raspberry.co.za, m-liebman [...] northwestern.edu, rt-devel [...] lists.fsck.com
I'm closing this ticket since Locale::MT is maintained in blead by perl5-porters. If you disagree with this, please re-open the ticket again. Thanks.
  Sun Jan 15 00:07:08 2012 The RT System itself - Status changed from 'stalled' to 'open'
  Sun Jan 15 00:07:08 2012 TODDR [...] cpan.org - Status changed from 'open' to 'rejected'
  Sun Jan 15 00:07:11 2012 rt-devel-owner [...] lists.bestpractical.com - Correspondence added
Subject: [rt.cpan.org #5521] setgid taint error
Date: Sun, 15 Jan 2012 00:07:10 -0500
To: bug-locale-maketext [...] rt.cpan.org
From: rt-devel-owner [...] lists.bestpractical.com
You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at rt-devel-owner@lists.bestpractical.com.
CC: graeme [...] raspberry.co.za, m-liebman [...] northwestern.edu, rt-devel [...] lists.fsck.com
Subject: [rt.cpan.org #5521] setgid taint error
Date: Sun, 15 Jan 2012 00:07:07 -0500
From: "Todd Rinaldo via RT" <bug-Locale-Maketext [...] rt.cpan.org>
<URL: https://rt.cpan.org/Ticket/Display.html?id=5521 > I'm closing this ticket since Locale::MT is maintained in blead by perl5-porters. If you disagree with this, please re-open the ticket again. Thanks.
  Sun Jan 15 00:07:12 2012 The RT System itself - Status changed from 'rejected' to 'open'
  Sun Jan 15 00:07:49 2012 TODDR [...] cpan.org - Status changed from 'open' to 'rejected'