Perl library Dpkg::Index no-longer usable with Perl taint-mode enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dpkg (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The Perl library Dpkg::Index used to be usable with taint mode (-T) enabled.
Specifically, it worked when using package 1.18.4ubuntu1 of libdpkg-perl in Ubuntu 16.04. This has since regressed in Ubuntu 18.04, which uses version 1.19.0.5ubuntu2.
The following perl script demonstrates the issue:
#!/usr/bin/perl -wT
use strict;
use warnings;
use Dpkg::Index;
1;
This script completes without error when run against 1.18. Running it against 1.19 results in the following taint error in the Dpkg::Vendor component, one of Dpkg::Index's dependencies:
% perl -wT poc.pl
Insecure dependency in eval while running with -T switch at /usr/share/
Compilation failed in require at /usr/share/
BEGIN failed--compilation aborted at /usr/share/
Compilation failed in require at /usr/share/
BEGIN failed--compilation aborted at /usr/share/
Compilation failed in require at /usr/share/
BEGIN failed--compilation aborted at /usr/share/
Compilation failed in require at poc.pl line 6.
BEGIN failed--compilation aborted at poc.pl line 6.
This corresponds to the following code in get_vendor_
eval qq{
pop \@INC if \$INC[-1] eq '.';
require Dpkg::Vendor:
\$obj = Dpkg::Vendor:
};
Commenting out the 'pop' line does not prevent the "Insecure dependency" error.