Bug#881451: Insecure dependency in chdir while running with -T switch at /usr/share/perl/5.26/File/Find.pm line 375

2017-11-12 Thread Damyan Ivanov 
Control: reassign -1 libtest-version-perl/2.05-1
Control: tag -1 upstream patch
Control: retitle -1 Test::Version makes File::Find's chdir to fail in taint mode

-=| Daniel Leidert, 12.11.2017 00:15:34 +0100 |=-
> Package: perl-modules-5.26
> Version: 5.26.1-2
> Severity: normal
> 
> I just wrote a test for a module using Test::Version. Running the test shows
> the mentioned message:
> 
> t/00-version.t .. Insecure dependency in chdir while running with -T switch 
> at /usr/share/perl/5.26/File/Find.pm line 375.
> t/00-version.t .. Dubious, test returned 255 (wstat 65280, 0xff00)
> 
> I'm not fully sure, but the mentioned issue File::Find might cause the test
> failure.

File::Find fails, because it tries to chdir with tainted argument. No 
bug here.

I guess Test::Version should set the untaint option when calling 
Find::File. The patch below seems to fix this.

Reassigning, since the behaviour of File::Find is as documented.

You can avoid this issue if you omit the -T flag in your version.t. 
After all, it runs over your code, not random user input.


-- dam

--- a/lib/Test/Version.pm
+++ b/lib/Test/Version.pm
@@ -211,7 +211,8 @@ sub version_all_ok {
 
   $name ||= "all modules in $dir have valid versions";
 
-  my @files = File::Find::Rule->perl_module->in( $dir );
+  my @files =
+File::Find::Rule->perl_module->extras( { untaint => 1 } )->in($dir);
 
   {
 local $_IN_VERSION_ALL_OK = 1;

Bug#881451: Insecure dependency in chdir while running with -T switch at /usr/share/perl/5.26/File/Find.pm line 375

2017-11-11 Thread Daniel Leidert 
Package: perl-modules-5.26
Version: 5.26.1-2
Severity: normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I just wrote a test for a module using Test::Version. Running the test shows
the mentioned message:

t/00-version.t .. Insecure dependency in chdir while running with -T switch at 
/usr/share/perl/5.26/File/Find.pm line 375.
t/00-version.t .. Dubious, test returned 255 (wstat 65280, 0xff00)

I'm not fully sure, but the mentioned issue File::Find might cause the test
failure.

Regards, Daniel


- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'unstable-debug'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages perl-modules-5.26 depends on:
ii  dpkg   1.19.0.4
ii  perl-base  5.26.1-2

Versions of packages perl-modules-5.26 recommends:
ii  perl  5.26.1-2

perl-modules-5.26 suggests no packages.

- -- no debconf information

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAloHhJUACgkQS80FZ8KW
0F0OcBAAp9J7RGoKmhlOvHecMaYJJwMC+GvV8Wb1WmygElnIsMu0Ia1MKiZ6Ci+D
kolOvt/cfIYfylDG6IrGQjDph/UzQGc/uRfPajJLyx4omR0rrBVQp22TQTdQF0ow
jfXHbs2o6SEbwnPx9JWc8M362sxj5k/WIVp1CQUFmbYHE0ZcjNMtRNUeSrk4KfIw
NVJhaRFnO8zhSkaHOY5md/OAOWJYt/fMm9hODpDUJbSQGrMT0jDT4LDceDeqT1ed
NCP4G61+ld7yU6f6sL7iJX/XKSZaGvctorkuXTgZfmqqkvSvgCB31Mid/q2Q2D/Q
HOE6h+UgtP9R7/acNbI9KwuWeelUcFjsCt0PL4pAZ8IyZD8XE4fOYZ4roaSM25Os
ILKC4cN+MPAurVPNfHrd3gex+VyK3IAz0g0M2+qChsWYV/IFDeeGJjE0nUwRWTep
6pY2m5YbtPDgtAGXIR6DvcS9HD7rWB5PntC9lv/mLyArH4S6LuNM5w5c3tSWdQ4x
hy2bLQILFEaGeG3VKNH//BBZ++u/JP2HZTGHixu28xQpKGYxqloE5G8EdVWNp/Fj
Z0cjX1i7huEH8h1str4eCPZ2RCOnlO+E4jZVVifubMz7ABRToOENHedb/JyrteI7
yTZulLj5TO6oFjw0UuZiWl09mgkPfgUreZOD3pmLtMDgMp7d4t4=
=jsE4
-END PGP SIGNATURE-