Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Locale-Maketext CPAN distribution.

Report information
The Basics
Id: 5521
Status: rejected
Priority: 0/
Queue: Locale-Maketext

People
Owner: Nobody in particular
Requestors: jesse [...] bestpractical.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



From: Jesse Vincent <jesse [...] bestpractical.com>
Subject: setgid taint error
Date: Mon, 1 Mar 2004 17:17:59 -0500
To: bug-locale-maketext [...] rt.cpan.org
Download (untitled) / with headers
text/plain 2.4k
Begin forwarded message: Show quoted text
> From: Alex Soares de Moura <alex@rnp.br> > Date: March 1, 2004 10:33:18 AM EST > To: rt-users@lists.fsck.com > Cc: Subject: [rt-users] [Fwd: RT] > > Hello, > > Suddenly, this morning the RT of our production server started showing > the error below accessing the RT web interface: > > ----------------------------------------------------------------------- > --------------------- > error: Insecure dependency in eval while running setgid at > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext/Guts.pm line 247. > context: ... 243: unshift @code, "use strict; sub {\n"; > 244: push @code, "}\n"; > 245: 246: print @code if DEBUG; > 247: my $sub = eval(join '', @code); > 248: die "$@ while evalling" . join('', @code) if $@; # Should be > impossible. > 249: return $sub; > 250: } > 251: ... code stack: > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext/Guts.pm:247 > /usr/local/lib/perl5/site_perl/5.8.2/Locale/Maketext.pm:196 > /opt/rt3/lib/RT/CurrentUser.pm:360 > /opt/rt3/lib/RT/Interface/Web.pm:215 > /opt/rt3/share/html/Elements/Login:44 > /opt/rt3/share/html/autohandler:195 > raw error > <http://200.17.63.80/rt/ > #raw>------------------------------------------------------------------ > -------------------------- > Environment: > FreeBSD 4.9-STABLE, rt-3.0.8, rtir-1-0-2, mysql-server-4.0.17, > p5-DBIx-SearchBuilder-0.96, p5-FastCGI-0.67. > ----------------------------------------------------------------------- > --------------------- > > The only reference I've found in the list archive was this: > http://marc.free.net.ph/message/20040109.110507.a020d925.html > > but the followup isn't a solution for us. To change the fastcgi to > mod_perl would be a undesirable change in the environment that's been > working well and stable for a couple of months. > > I'm even afraid of restarting the apache and/or the mysql servers > once some of the users that logged in early in the morning are > accessing without problems (me included). Only the users that are > trying to log in since an hour ago are having this error message > displayed. > ------- > > Last min. update: the problem misteriously disappeared while I was > writing this email. Go figure... > > Alex > _______________________________________________ > rt-users mailing list > rt-users@lists.bestpractical.com > http://lists.bestpractical.com/mailman/listinfo/rt-users > > Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm >
Download PGP.sig
application/pgp-signature 186b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 538b
Man alive, this is a strange error. Altho Locele::Maketext::Guts::_compile is a big scare routine that defies merely glancing at, it sure looks to me like every single bit of data that it ends up evalling starts out either as a Perl string literal, or as a $1 gotten from the regexp that starts in the line "while($_[1] =~ # Iterate over chunks." Either way, I don't see how the data could be tainted, and I don't know what should be done. Can anyone give me an example of _compile input and/or @code contents that cause this error?
Download (untitled) / with headers
text/plain 226b
Hm, maybe changing the my $sub = eval(join '', @code); line to my $sub = eval { eval(join '', @code) || die $@ }; would at least allow a clearer error message (I think). Anyone want to try this and let me know what they see?
CC: bug-Locale-Maketext [...] rt.cpan.org
From: Jesse Vincent <jesse [...] bestpractical.com>
Subject: [cpan #5521] setgid taint error in Locale-Maketext
Date: Tue, 2 Mar 2004 00:21:20 -0500
To: RT Developers Mailing List <rt-devel [...] lists.fsck.com>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 668b
Can anyone try sean's recommendation and get a more solid error report? Begin forwarded message: Show quoted text
> From: " via RT" <comment-Locale-Maketext@rt.cpan.org> > Date: March 2, 2004 12:13:51 AM EST > To: jesse@bestpractical.com > Subject: [cpan #5521] setgid taint error > Reply-To: comment-Locale-Maketext@rt.cpan.org > > Full context and any attached attachments can be found at: > <URL: http://rt.cpan.org/NoAuth/Bug.html?id=5521 > > > Hm, maybe changing the my $sub = eval(join '', @code); line to > my $sub = eval { eval(join '', @code) || die $@ }; > would at least allow a clearer error message (I think). Anyone want to > try this and let me know what they see? >
Download (untitled) / with headers
text/enriched 950b
Date: Mon, 22 Mar 2004 10:14:14 -0500
From: "Michael S. Liebman" <m-liebman [...] northwestern.edu>
To: Jesse Vincent <jesse [...] bestpractical.com>
CC: RT Developers Mailing List <rt-devel [...] lists.fsck.com>, bug-Locale-Maketext [...] rt.cpan.org
Subject: Re: [rt-devel] [cpan #5521] setgid taint error in Locale-Maketext
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.5k
On Tue, Mar 02, 2004 at 12:21:20AM -0500, Jesse Vincent wrote: Show quoted text
> Can anyone try sean's recommendation and get a more solid error > report?
Finally had the problem recur after I made the change. Here is the error I'm receiving now. System error error: Insecure dependency in eval while running setgid at /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm line 247. Stack: [/usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:247] [/usr/lib/perl5/5.8.3/Locale/Maketext.pm:195] [/opt/rt3/lib/RT/CurrentUser.pm:360] [/opt/rt3/lib/RT/Interface/Web.pm:217] [/opt/rt3/local/html/Ticket/Update.html:149] [/opt/rt3/share/html/autohandler:195] while evallinguse strict; sub { join '', 'Update ticket #', ($_[1], ), ' (', ($_[2], ), ')', } context: ... 244: push @code, "}\n"; 245: 246: print @code if DEBUG; 247: my $sub = eval { eval(join '', @code) || die $@ }; 248: die "$@ while evalling" . join('', @code) if $@; # Should be impossible. 249: return $sub; 250: } 251: 252: # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ... code stack: /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:248 /usr/lib/perl5/5.8.3/Locale/Maketext.pm:195 /opt/rt3/lib/RT/CurrentUser.pm:360 /opt/rt3/lib/RT/Interface/Web.pm:217 /opt/rt3/local/html/Ticket/Update.html:149 /opt/rt3/share/html/autohandler:195 Michael -- Michael S. Liebman m-liebman@northwestern.edu http://msl521.freeshell.org/ "I have vision and the rest of the world wears bifocals." -Paul Newman in "Butch Cassidy & the Sundance Kid"
From: graeme [...] raspberry.co.za
Download (untitled) / with headers
text/plain 1.8k
Hi all, The line --snip-snip-- my $sub = eval(join '', @code); --snip-snip-- is highlited in my error page, suggesting the "eval" is not allowed when PERL is running setgid. I reckon that's going to be difficult to change, so maybe Locale::Maketext can be changed so as not to use the "eval" function instead? Thanks, Graeme [m-liebman@northwestern.edu - Mon Mar 22 10:14:39 2004]: Show quoted text
> On Tue, Mar 02, 2004 at 12:21:20AM -0500, Jesse Vincent wrote:
> > Can anyone try sean's recommendation and get a more solid error > > report?
> > Finally had the problem recur after I made the change. Here is the > error I'm receiving now. > > System error > error: Insecure dependency in eval while running setgid at > /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm line 247. > > Stack: > [/usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:247] > [/usr/lib/perl5/5.8.3/Locale/Maketext.pm:195] > [/opt/rt3/lib/RT/CurrentUser.pm:360] > [/opt/rt3/lib/RT/Interface/Web.pm:217] > [/opt/rt3/local/html/Ticket/Update.html:149] > [/opt/rt3/share/html/autohandler:195] > while evallinguse strict; sub { > join '', > 'Update ticket #', > ($_[1], ), > ' (', > ($_[2], ), > ')', > } > context: > ... > 244: push @code, "}\n"; > 245: > 246: print @code if DEBUG; > 247: my $sub = eval { eval(join '', @code) || die $@ }; > 248: die "$@ while evalling" . join('', @code) if $@; #
Should be Show quoted text
> impossible. > 249: return $sub; > 250: } > 251: > 252: # - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - Show quoted text
> - - - - - - > ... > code stack: /usr/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:248 > /usr/lib/perl5/5.8.3/Locale/Maketext.pm:195 > /opt/rt3/lib/RT/CurrentUser.pm:360 > /opt/rt3/lib/RT/Interface/Web.pm:217 > /opt/rt3/local/html/Ticket/Update.html:149 > /opt/rt3/share/html/autohandler:195 > > Michael
RT-Send-CC: graeme [...] raspberry.co.za, m-liebman [...] northwestern.edu, rt-devel [...] lists.fsck.com
Download (untitled) / with headers
text/plain 152b
I'm closing this ticket since Locale::MT is maintained in blead by perl5-porters. If you disagree with this, please re-open the ticket again. Thanks.
Subject: [rt.cpan.org #5521] setgid taint error
Date: Sun, 15 Jan 2012 00:07:10 -0500
To: bug-locale-maketext [...] rt.cpan.org
From: rt-devel-owner [...] lists.bestpractical.com
Download (untitled) / with headers
text/plain 237b
You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at rt-devel-owner@lists.bestpractical.com.
CC: graeme [...] raspberry.co.za, m-liebman [...] northwestern.edu, rt-devel [...] lists.fsck.com
Subject: [rt.cpan.org #5521] setgid taint error
Date: Sun, 15 Jan 2012 00:07:07 -0500
From: "Todd Rinaldo via RT" <bug-Locale-Maketext [...] rt.cpan.org>
Download (untitled) / with headers
text/plain 210b
<URL: https://rt.cpan.org/Ticket/Display.html?id=5521 > I'm closing this ticket since Locale::MT is maintained in blead by perl5-porters. If you disagree with this, please re-open the ticket again. Thanks.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.