Bug #5521 for Locale-Maketext: setgid taint error

# Mon Mar 01 17:18:05 2004 jesse [...] bestpractical.com - Ticket created

Return-Path:	<jesse [...] bestpractical.com>
Delivered-To:	cpan-bug+locale-maketext [...] pallas.eruditorum.org
Received:	from [10.0.1.8] (209-6-159-27.c3-0.smr-ubr3.sbo-smr.ma.cable.rcn.com [209.6.159.27]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by pallas.eruditorum.org (Postfix) with ESMTP id 3E41111139; Mon, 1 Mar 2004 17:18:00 -0500 (EST)
MIME-Version:	1.0 (Apple Message framework v612)
Content-Type:	multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-15--1059451453"
Message-Id:	<4C929E00-6BCE-11D8-8564-000A95AA631E [...] bestpractical.com>
Content-Transfer-Encoding:	7bit
From:	Jesse Vincent <jesse [...] bestpractical.com>
Subject:	setgid taint error
Date:	Mon, 1 Mar 2004 17:17:59 -0500
To:	bug-locale-maketext [...] rt.cpan.org
X-PGP-Agent:	GPGMail 1.0.1 (v33, 10.3)
X-Mailer:	Apple Mail (2.612)
Content-Length:	0

Content-Transfer-Encoding:	7bit
Content-Type:	text/plain; charset=US-ASCII; delsp=yes; format=flowed
X-RT-Original-Encoding:	us-ascii
Content-Length:	2554

Download (untitled) / with headers
text/plain 2.4k

Begin forwarded message: Show quoted text

> From: Alex Soares de Moura <alex@rnp.br> > Date: March 1, 2004 10:33:18 AM EST > To: rt-users@lists.fsck.com > Cc: Subject: [rt-users] [Fwd: RT] > > Hello, > > Suddenly, this morning the RT of our production server started showing > the error below accessing the RT web interface: > > ----------------------------------------------------------------------- > --------------------- > error: Insecure dependency in eval while running setgid at > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext/Guts.pm line 247. > context: ... 243: unshift @code, "use strict; sub {\n"; > 244: push @code, "}\n"; > 245: 246: print @code if DEBUG; > 247: my $sub = eval(join '', @code); > 248: die "$@ while evalling" . join('', @code) if $@; # Should be > impossible. > 249: return $sub; > 250: } > 251: ... code stack: > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext/Guts.pm:247 > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext.pm:196 > /opt/rt3/lib/RT/CurrentUser.pm:360 > /opt/rt3/lib/RT/Interface/Web.pm:215 > /opt/rt3/share/html/Elements/Login:44 > /opt/rt3/share/html/autohandler:195 > raw error > <http://200.17.63.80/rt/ > #raw>------------------------------------------------------------------ > -------------------------- > Environment: > FreeBSD 4.9-STABLE, rt-3.0.8, rtir-1-0-2, mysql-server-4.0.17, > p5-DBIx-SearchBuilder-0.96, p5-FastCGI-0.67. > ----------------------------------------------------------------------- > --------------------- > > The only reference I've found in the list archive was this: > http://marc.free.net.ph/message/20040109.110507.a020d925.html > > but the followup isn't a solution for us. To change the fastcgi to > mod_perl would be a undesirable change in the environment that's been > working well and stable for a couple of months. > > I'm even afraid of restarting the apache and/or the mysql servers > once some of the users that logged in early in the morning are > accessing without problems (me included). Only the users that are > trying to log in since an hour ago are having this error message > displayed. > ------- > > Last min. update: the problem misteriously disappeared while I was > writing this email. Go figure... > > Alex > _______________________________________________ > rt-users mailing list > rt-users@lists.bestpractical.com > http://lists.bestpractical.com/mailman/listinfo/rt-users > > Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm >

content-type:	application/pgp-signature; x-mac-type=70674453; name=PGP.sig
content-description:	This is a digitally signed message part
content-disposition:	inline; filename=PGP.sig
content-transfer-encoding:	7bit
Content-Length:	186

Download PGP.sig
application/pgp-signature 186b

Message body not shown because it is not plain text.

# Tue Mar 02 00:06:16 2004 sburke [...] cpan.org - Correspondence added

Content-Type:	text/plain
Content-Disposition:	inline
Content-Transfer-Encoding:	binary
MIME-Version:	1.0
X-Mailer:	MIME-tools 5.405 (Entity 5.404)
X-RT-Original-Encoding:	iso-8859-1
Content-Length:	538

Download (untitled) / with headers
text/plain 538b

Man alive, this is a strange error. Altho Locele::Maketext::Guts::_compile is a big scare routine that defies merely glancing at, it sure looks to me like every single bit of data that it ends up evalling starts out either as a Perl string literal, or as a $1 gotten from the regexp that starts in the line "while($_[1] =~ # Iterate over chunks." Either way, I don't see how the data could be tainted, and I don't know what should be done. Can anyone give me an example of _compile input and/or @code contents that cause this error?

# Tue Mar 02 00:13:51 2004 sburke [...] cpan.org - Correspondence added

Content-Type:	text/plain
Content-Disposition:	inline
Content-Transfer-Encoding:	binary
MIME-Version:	1.0
X-Mailer:	MIME-tools 5.405 (Entity 5.404)
X-RT-Original-Encoding:	iso-8859-1
Content-Length:	226

Download (untitled) / with headers
text/plain 226b

Hm, maybe changing the my $sub = eval(join '', @code); line to my $sub = eval { eval(join '', @code) || die $@ }; would at least allow a clearer error message (I think). Anyone want to try this and let me know what they see?

# Tue Mar 02 00:21:40 2004 jesse [...] bestpractical.com - Correspondence added

Return-Path:	<jesse [...] bestpractical.com>
Delivered-To:	cpan-bug+locale-maketext [...] pallas.eruditorum.org
Received:	from [10.0.1.10] (209-6-159-27.c3-0.smr-ubr3.sbo-smr.ma.cable.rcn.com [209.6.159.27]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by pallas.eruditorum.org (Postfix) with ESMTP id A9E03111B3; Tue, 2 Mar 2004 00:21:25 -0500 (EST)
MIME-Version:	1.0 (Apple Message framework v612)
Content-Type:	multipart/alternative; boundary=Apple-Mail-3--1034050549
Message-Id:	<70B13255-6C09-11D8-8784-000A95AF033C [...] bestpractical.com>
CC:	bug-Locale-Maketext [...] rt.cpan.org
From:	Jesse Vincent <jesse [...] bestpractical.com>
Subject:	[cpan #5521] setgid taint error in Locale-Maketext
Date:	Tue, 2 Mar 2004 00:21:20 -0500
To:	RT Developers Mailing List <rt-devel [...] lists.fsck.com>
X-Mailer:	Apple Mail (2.612)
RT-Send-Cc:
Content-Length:	0

Content-Transfer-Encoding:	7bit
Content-Type:	text/plain; charset=US-ASCII; format=flowed
X-RT-Original-Encoding:	iso-8859-1
Content-Length:	668

Download (untitled) / with headers
text/plain 668b

Can anyone try sean's recommendation and get a more solid error report? Begin forwarded message: Show quoted text

> From: " via RT" <comment-Locale-Maketext@rt.cpan.org> > Date: March 2, 2004 12:13:51 AM EST > To: jesse@bestpractical.com > Subject: [cpan #5521] setgid taint error > Reply-To: comment-Locale-Maketext@rt.cpan.org > > Full context and any attached attachments can be found at: > <URL: http://rt.cpan.org/NoAuth/Bug.html?id=5521 > > > Hm, maybe changing the my $sub = eval(join '', @code); line to > my $sub = eval { eval(join '', @code) || die $@ }; > would at least allow a clearer error message (I think). Anyone want to > try this and let me know what they see? >

Content-Transfer-Encoding:	7bit
Content-Type:	text/enriched; charset=US-ASCII
X-RT-Original-Encoding:	iso-8859-1
Content-Length:	950

Download (untitled) / with headers
text/enriched 950b

# Mon Mar 22 10:14:39 2004 m-liebman [...] northwestern.edu - Correspondence added

Return-Path:	<msl521 [...] sdf.lonestar.org>
Delivered-To:	cpan-bug+locale-maketext [...] pallas.eruditorum.org
Received:	from sdf.lonestar.org (ol.freeshell.org [192.94.73.20]) by pallas.eruditorum.org (Postfix) with ESMTP id 37A21113F2 for <bug-Locale-Maketext [...] rt.cpan.org>; Mon, 22 Mar 2004 10:14:26 -0500 (EST)
Received:	from sdf.lonestar.org (IDENT:msl521 [...] vinland.freeshell.org [192.94.73.6]) by sdf.lonestar.org (8.12.10/8.12.10) with ESMTP id i2MFEE42018804; Mon, 22 Mar 2004 15:14:14 GMT
Received:	(from msl521 [...] localhost) by sdf.lonestar.org (8.12.10/8.12.8/Submit) id i2MFEEnu005542; Mon, 22 Mar 2004 10:14:14 -0500 (EST)
Date:	Mon, 22 Mar 2004 10:14:14 -0500
From:	"Michael S. Liebman" <m-liebman [...] northwestern.edu>
To:	Jesse Vincent <jesse [...] bestpractical.com>
CC:	RT Developers Mailing List <rt-devel [...] lists.fsck.com>, bug-Locale-Maketext [...] rt.cpan.org
Subject:	Re: [rt-devel] [cpan #5521] setgid taint error in Locale-Maketext
Message-Id:	<20040322151414.GA4504 [...] SDF.LONESTAR.ORG>
Reply-To:	m-liebman [...] northwestern.edu
Mail-Followup-To:	Jesse Vincent <jesse [...] bestpractical.com>, RT Developers Mailing List <rt-devel [...] lists.fsck.com>, bug-Locale-Maketext [...] rt.cpan.org
References:	<70B13255-6C09-11D8-8784-000A95AF033C [...] bestpractical.com>
MIME-Version:	1.0
Content-Type:	text/plain; charset=us-ascii
Content-Disposition:	inline
In-Reply-To:	<70B13255-6C09-11D8-8784-000A95AF033C [...] bestpractical.com>
User-Agent:	Mutt/1.4.2.1i
RT-Send-Cc:
X-RT-Original-Encoding:	us-ascii
Content-Length:	1572

Download (untitled) / with headers
text/plain 1.5k

On Tue, Mar 02, 2004 at 12:21:20AM -0500, Jesse Vincent wrote: Show quoted text

> Can anyone try sean's recommendation and get a more solid error > report?

Finally had the problem recur after I made the change. Here is the error I'm receiving now. System error error: Insecure dependency in eval while running setgid at /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm line 247. Stack: [/usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:247] [/usr/lib/perl5/5.8.3/Locale/Maketext.pm:195] [/opt/rt3/lib/RT/CurrentUser.pm:360] [/opt/rt3/lib/RT/Interface/Web.pm:217] [/opt/rt3/local/html/Ticket/Update.html:149] [/opt/rt3/share/html/autohandler:195] while evallinguse strict; sub { join '', 'Update ticket #', ($_[1], ), ' (', ($_[2], ), ')', } context: ... 244: push @code, "}\n"; 245: 246: print @code if DEBUG; 247: my $sub = eval { eval(join '', @code) || die $@ }; 248: die "$@ while evalling" . join('', @code) if $@; # Should be impossible. 249: return $sub; 250: } 251: 252: # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ... code stack: /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:248 /usr/lib/perl5/5.8.3/Locale/Maketext.pm:195 /opt/rt3/lib/RT/CurrentUser.pm:360 /opt/rt3/lib/RT/Interface/Web.pm:217 /opt/rt3/local/html/Ticket/Update.html:149 /opt/rt3/share/html/autohandler:195 Michael -- Michael S. Liebman m-liebman@northwestern.edu http://msl521.freeshell.org/ "I have vision and the rest of the world wears bifocals." -Paul Newman in "Butch Cassidy & the Sundance Kid"

# Tue Apr 06 11:08:33 2004 Guest - Correspondence added

Content-Type:	text/plain
Content-Disposition:	inline
Content-Transfer-Encoding:	binary
MIME-Version:	1.0
X-Mailer:	MIME-tools 5.411 (Entity 5.404)
From:	graeme [...] raspberry.co.za
X-RT-Original-Encoding:	iso-8859-1
Content-Length:	1882

Download (untitled) / with headers
text/plain 1.8k

Hi all, The line --snip-snip-- my $sub = eval(join '', @code); --snip-snip-- is highlited in my error page, suggesting the "eval" is not allowed when PERL is running setgid. I reckon that's going to be difficult to change, so maybe Locale::Maketext can be changed so as not to use the "eval" function instead? Thanks, Graeme [m-liebman@northwestern.edu - Mon Mar 22 10:14:39 2004]: Show quoted text

> On Tue, Mar 02, 2004 at 12:21:20AM -0500, Jesse Vincent wrote:

> > Can anyone try sean's recommendation and get a more solid error > > report?

> > Finally had the problem recur after I made the change. Here is the > error I'm receiving now. > > System error > error: Insecure dependency in eval while running setgid at > /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm line 247. > > Stack: > [/usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:247] > [/usr/lib/perl5/5.8.3/Locale/Maketext.pm:195] > [/opt/rt3/lib/RT/CurrentUser.pm:360] > [/opt/rt3/lib/RT/Interface/Web.pm:217] > [/opt/rt3/local/html/Ticket/Update.html:149] > [/opt/rt3/share/html/autohandler:195] > while evallinguse strict; sub { > join '', > 'Update ticket #', > ($_[1], ), > ' (', > ($_[2], ), > ')', > } > context: > ... > 244: push @code, "}\n"; > 245: > 246: print @code if DEBUG; > 247: my $sub = eval { eval(join '', @code) || die $@ }; > 248: die "$@ while evalling" . join('', @code) if $@; #

Should be Show quoted text

> impossible. > 249: return $sub; > 250: } > 251: > 252: # - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - Show quoted text

> - - - - - - > ... > code stack: /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:248 > /usr/lib/perl5/5.8.3/Locale/Maketext.pm:195 > /opt/rt3/lib/RT/CurrentUser.pm:360 > /opt/rt3/lib/RT/Interface/Web.pm:217 > /opt/rt3/local/html/Ticket/Update.html:149 > /opt/rt3/share/html/autohandler:195 > > Michael

# Thu Oct 07 08:28:33 2010 TODDR [...] cpan.org - Status changed from 'new' to 'stalled'

# Sun Jan 15 00:07:07 2012 TODDR [...] cpan.org - Correspondence added

MIME-Version:	1.0
In-Reply-To:	<4C929E00-6BCE-11D8-8564-000A95AA631E [...] bestpractical.com>
X-Mailer:	MIME-tools 5.427 (Entity 5.427)
Content-Disposition:	inline
References:	<4C929E00-6BCE-11D8-8564-000A95AA631E [...] bestpractical.com>
Content-Type:	text/plain; charset="UTF-8"
Message-ID:	<rt-3.8.HEAD-6892-1326604027-393.5521-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding:	binary
X-RT-Original-Encoding:	utf-8
RT-Send-CC:	graeme [...] raspberry.co.za, m-liebman [...] northwestern.edu, rt-devel [...] lists.fsck.com
Content-Length:	152

Download (untitled) / with headers
text/plain 152b

I'm closing this ticket since Locale::MT is maintained in blead by perl5-porters. If you disagree with this, please re-open the ticket again. Thanks.

# Sun Jan 15 00:07:08 2012 The RT System itself - Status changed from 'stalled' to 'open'

# Sun Jan 15 00:07:08 2012 TODDR [...] cpan.org - Status changed from 'open' to 'rejected'

# Sun Jan 15 00:07:11 2012 rt-devel-owner [...] lists.bestpractical.com - Correspondence added

From rt-devel-bounces [...] lists.bestpractical.com Sun Jan 15 00:	07:11 2012
MIME-Version:	1.0
Errors-To:	rt-devel-bounces [...] lists.bestpractical.com
RT-Squelch-Replies-To:	rt-devel-owner [...] lists.bestpractical.com
X-Mailman-Version:	2.1.13
RT-Detectedautogenerated:	true
Content-Type:	multipart/mixed; boundary="===============1382908763=="
Message-ID:	<mailman.777.1326604030.4245.rt-devel [...] lists.bestpractical.com>
Received:	from hipster.bestpractical.com (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 08FB3241372 for <bug-locale-maketext [...] rt.cpan.org>; Sun, 15 Jan 2012 00:07:11 -0500 (EST)
Delivered-To:	cpan-bug+locale-maketext [...] hipster.bestpractical.com
Subject:	[rt.cpan.org #5521] setgid taint error
Return-Path:	<rt-devel-bounces [...] lists.bestpractical.com>
X-Original-To:	bug-locale-maketext [...] rt.cpan.org
X-RT-Mail-Extension:	locale-maketext
Date:	Sun, 15 Jan 2012 00:07:10 -0500
Sender:	rt-devel-bounces [...] lists.bestpractical.com
Precedence:	bulk
X-List-Administrivia:	yes
X-Beenthere:	rt-devel [...] lists.bestpractical.com
List-ID:	<rt-devel.lists.bestpractical.com>
To:	bug-locale-maketext [...] rt.cpan.org
From:	rt-devel-owner [...] lists.bestpractical.com
RT-Message-ID:	<rt-3.8.HEAD-6889-1326604031-661.5521-0-0 [...] rt.cpan.org>
Content-Length:	0

MIME-Version:	1.0
Content-Type:	text/plain; charset="utf-8"
Content-Transfer-Encoding:	7bit
X-RT-Original-Encoding:	utf-8
Content-Length:	237

Download (untitled) / with headers
text/plain 237b

You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at rt-devel-owner@lists.bestpractical.com.

MIME-Version:	1.0
Content-Type:	message/rfc822
X-RT-Original-Encoding:	ascii
Content-Length:	0

CC:	graeme [...] raspberry.co.za, m-liebman [...] northwestern.edu, rt-devel [...] lists.fsck.com
MIME-Version:	1.0
X-Spam-Status:	No, score=-1.39 tagged_above=-99.9 required=10 tests=[AWL=-0.510, BAYES_00=-1.9, MISSING_HEADERS=1.021, SPF_PASS=-0.001] autolearn=no
In-Reply-To:	<4C929E00-6BCE-11D8-8564-000A95AA631E [...] bestpractical.com>
X-Spam-Flag:	NO
References:	<RT-Ticket-5521 [...] rt.cpan.org> <4C929E00-6BCE-11D8-8564-000A95AA631E [...] bestpractical.com>
X-Virus-Scanned:	Debian amavisd-new at bestpractical.com
Reply-To:	bug-Locale-Maketext [...] rt.cpan.org
Message-ID:	<rt-3.8.HEAD-6892-1326604027-141.5521-7-0 [...] rt.cpan.org>
Content-Type:	text/plain; charset="utf-8"
X-Spam-Score:	-1.39
RT-Originator:	TODDR [...] cpan.org
X-RT-Original-Encoding:	utf-8
Received:	from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 112702413D5 for <rt-devel [...] hipster.bestpractical.com>; Sun, 15 Jan 2012 00:07:10 -0500 (EST)
Received:	from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HC5wyqpaXlg6 for <rt-devel [...] hipster.bestpractical.com>; Sun, 15 Jan 2012 00:07:08 -0500 (EST)
Received:	from cpan.rt.develooper.com (cpan.rt.develooper.com [207.171.7.181]) by hipster.bestpractical.com (Postfix) with ESMTP id 4F2DB241372 for <rt-devel [...] lists.fsck.com>; Sun, 15 Jan 2012 00:07:08 -0500 (EST)
Received:	by cpan.rt.develooper.com (Postfix, from userid 536) id EC150704A; Sat, 14 Jan 2012 21:07:07 -0800 (PST)
Managed-BY:	RT 3.8.HEAD (http://www.bestpractical.com/rt/)
Delivered-To:	rt-devel [...] hipster.bestpractical.com
Subject:	[rt.cpan.org #5521] setgid taint error
Return-Path:	<rt-cpan-org-return [...] perl.org>
X-Original-To:	rt-devel [...] hipster.bestpractical.com
Date:	Sun, 15 Jan 2012 00:07:07 -0500
X-Spam-Level:
RT-Ticket:	rt.cpan.org #5521
Precedence:	normal
X-RT-Loop-Prevention:	rt.cpan.org
Content-Transfer-Encoding:	8bit
From:	"Todd Rinaldo via RT" <bug-Locale-Maketext [...] rt.cpan.org>
Content-Length:	210

Download (untitled) / with headers
text/plain 210b

<URL: https://rt.cpan.org/Ticket/Display.html?id=5521 > I'm closing this ticket since Locale::MT is maintained in blead by perl5-porters. If you disagree with this, please re-open the ticket again. Thanks.

# Sun Jan 15 00:07:12 2012 The RT System itself - Status changed from 'rejected' to 'open'

# Sun Jan 15 00:07:49 2012 TODDR [...] cpan.org - Status changed from 'open' to 'rejected'

Bug #5521 for Locale-Maketext: setgid taint error

Preferred bug tracker