Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
Hi, Tim did not manage to reproduce this bug on current sid, and neither could I in a sid VM. However, I can still reproduce it on the system that exposed it in the first place, so unfortunately, it does not look like the bug was magically autofixed by some change in the underlying Debian/Perl environment. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
On Thu, Jun 28, 2012 at 12:49:17AM +0200, intrigeri wrote: Hi, Iain Lane wrote (27 Jun 2012 22:30:40 GMT) : Where can I find these commits? There: git://lair.fifthhorseman.net/~dkg/msva-perl (Yeah, I know, that's not obvious.) Got it, thanks. Seems to fix it indeed, and if the other commit fixes the Use of uninitialized value warning (looked at the code but didn't test it) then we might as well include that too IMHO. I guess getting a freeze unblock wouldn't be a problem for this, but we should nevertheless try and get uploaded before then. Can you ping dkg in #monkeysphere? Cheers, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ] PhD student [ i...@cs.nott.ac.uk ] signature.asc Description: Digital signature
Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
Hi, On Wed, Jun 20, 2012 at 04:33:02AM +0200, intrigeri wrote: Hi, intrigeri wrote (19 Jun 2012 19:44:19 GMT) : However, given Net::Server pretends to be taint clean, it does looks like there's a serious bug in there, that shall be reported and fixed. I'll try to isolate a minimal testcase and will report it in Debian and upstream. I tried building msva-perl 0.8-2 + commit f24706da cherry-picked from upstream. Good news: for some reason, the resulting package does not expose the bug we are discussing :) So I suggest the following plan: 0. ASAP: someone (Iain? Daniel?) reproduces my successful testing result. Sorry for the delay. I tried to do this but failed because I cannot find the commits you are referring to. I use the repository referenced in Vcs-Git of msva-perl: git://git.monkeysphere.info/msva-perl. , | laney@raleigh git show f24706da | fatal: ambiguous argument 'f24706da': unknown revision or path not in | the working tree. ` Where can I find these commits? Alternatively, you could upload a source package somewhere for me to build/test. Cheers, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ] PhD student [ i...@cs.nott.ac.uk ] signature.asc Description: Digital signature
Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
Hi, Iain Lane wrote (27 Jun 2012 22:30:40 GMT) : Where can I find these commits? There: git://lair.fifthhorseman.net/~dkg/msva-perl (Yeah, I know, that's not obvious.) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
Hi, intrigeri wrote (19 Jun 2012 19:44:19 GMT) : However, given Net::Server pretends to be taint clean, it does looks like there's a serious bug in there, that shall be reported and fixed. I'll try to isolate a minimal testcase and will report it in Debian and upstream. I tried building msva-perl 0.8-2 + commit f24706da cherry-picked from upstream. Good news: for some reason, the resulting package does not expose the bug we are discussing :) So I suggest the following plan: 0. ASAP: someone (Iain? Daniel?) reproduces my successful testing result. 1. short-term: push msva-perl 0.8-3 out to unstable, with this commit applied (and perhaps 20e3148 too?) 2. long-term: investigate if there's actually a bug in Net-Server, and if there is, report it properly. Daniel, what do you think? Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
Hello, On Thu, Jun 14, 2012 at 11:48:49PM +0200, intrig...@debian.org wrote: Package: msva-perl Version: 0.8-2 Severity: grave $ cat $HOME/.monkeysphere/monkeysphere.conf USE_VALIDATION_AGENT=true KEYSERVER=keys.indymedia.org $ . $HOME/.monkeysphere/monkeysphere.conf $ msva-perl Use of uninitialized value $loglevel in lc at /usr/share/perl5/Crypt/Monkeysphere/MSVA/Logger.pm line 91. Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80. zsh: exit 255 msva-perl This might be related to upgrading libnet-server-perl to 2.005-1. This broke my X login in a way that was perplexing to untangle. It seems as if monkeysphere inserts itself into the X session startup by way of a file in /etc/X11/Xsession.d. monkeysphere-validation-agent failing then made the whole Xsession execution fail, which is really unfriendly. Downgrading libnet-server-perl to 0.99-4 fixes it. Perhaps you should consider blocking that from migrating if it is exposing bugs like this. Cheers, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ] PhD student [ i...@cs.nott.ac.uk ] signature.asc Description: Digital signature
Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
Hi, Iain Lane wrote (19 Jun 2012 10:58:58 GMT) : Downgrading libnet-server-perl to 0.99-4 fixes it. Thanks a lot for confirming this. Perhaps you should consider blocking that from migrating if it is exposing bugs like this. I agree this bug is annoying, but even knowing that, I doubt Net-Server-2.005 is any worse than our previous Net::Server 0.99 series, that is seriously buggy itself, and carries a handful of Debian specific patches that were merged upstream since then. However, given Net::Server pretends to be taint clean, it does looks like there's a serious bug in there, that shall be reported and fixed. I'll try to isolate a minimal testcase and will report it in Debian and upstream. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80
Package: msva-perl Version: 0.8-2 Severity: grave $ cat $HOME/.monkeysphere/monkeysphere.conf USE_VALIDATION_AGENT=true KEYSERVER=keys.indymedia.org $ . $HOME/.monkeysphere/monkeysphere.conf $ msva-perl Use of uninitialized value $loglevel in lc at /usr/share/perl5/Crypt/Monkeysphere/MSVA/Logger.pm line 91. Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80. zsh: exit 255 msva-perl This might be related to upgrading libnet-server-perl to 2.005-1. (Removing the -T flag in /usr/bin/msva-perl = the second error message is replaced with: 2 sockets open; should have been 1. zsh: exit 10msva-perl This may be due to the new Net::Server binding to both IPv4 and IPv6. ) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
