Debian Bug report logs - #722210
perl-modules: Module::Load::Conditional fails in taint mode with "Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631"

version graph

Package: perl-modules; Maintainer for perl-modules is Niko Tyni <ntyni@debian.org>; Source for perl-modules is src:perl.

Reported by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Date: Mon, 9 Sep 2013 05:39:02 UTC

Severity: important

Tags: fixed-upstream

Found in version perl/5.18.1-3

Fixed in version perl/5.18.1-4

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Forwarded to https://rt.cpan.org/Public/Bug/Display.html?id=88576

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, dkg@fifthhorseman.net, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Mon, 09 Sep 2013 05:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to dkg@fifthhorseman.net, Niko Tyni <ntyni@debian.org>. (Mon, 09 Sep 2013 05:39:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl-modules: Module::Load::Conditional fails in taint mode with "Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631"
Date: Mon, 09 Sep 2013 01:37:34 -0400
Package: perl-modules
Version: 5.18.1-3
Severity: important
Control: affects -1 msva-perl

in perl 5.14.2-21, the following command returns cleanly:

perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'

0 dkg@wheezy:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
0 dkg@wheezy:~$ 


but in perl 5.18.1-3, it fails harshly:

0 dkg@alice:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
25 dkg@alice:~$ 

This appears to mean that any code running in taint mode that uses
Module::Load::Conditional::can_load will fail hard.  This is causing a
crash in msva-perl, which deliberately runs in taint mode and also may
conditionally load a handful of pre-known modules if they are present
on the system.

Marking this as important since it breaks msva-perl and probably other
code.

   --dkg


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages perl-modules depends on:
ii  perl  5.18.1-3

Versions of packages perl-modules recommends:
pn  libarchive-extract-perl   <none>
pn  libmodule-pluggable-perl  <none>
pn  libpod-latex-perl         <none>
pn  libterm-ui-perl           <none>
pn  libtext-soundex-perl      <none>

Versions of packages perl-modules suggests:
pn  libb-lint-perl               <none>
pn  libcpanplus-dist-build-perl  <none>
pn  libcpanplus-perl             <none>
pn  libfile-checktree-perl       <none>
pn  liblog-message-perl          <none>
pn  liblog-message-simple-perl   <none>
pn  libobject-accessor-perl      <none>

-- debconf-show failed



Added indication that 722210 affects msva-perl Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to submit@bugs.debian.org. (Mon, 09 Sep 2013 05:39:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Mon, 09 Sep 2013 06:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 09 Sep 2013 06:06:05 GMT) Full text and rfc822 format available.

Message #12 received at 722210@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 722210@bugs.debian.org
Subject: Re: Bug#722210: perl-modules: Module::Load::Conditional fails in taint mode with "Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631"
Date: Mon, 09 Sep 2013 02:02:16 -0400
[Message part 1 (text/plain, inline)]
On 09/09/2013 01:37 AM, Daniel Kahn Gillmor wrote:
> Package: perl-modules
> Version: 5.18.1-3
> Severity: important
> Control: affects -1 msva-perl
> 
> in perl 5.14.2-21, the following command returns cleanly:
> 
> perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> 
> 0 dkg@wheezy:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> 0 dkg@wheezy:~$ 
> 
> 
> but in perl 5.18.1-3, it fails harshly:
> 
> 0 dkg@alice:~$ perl -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
> 25 dkg@alice:~$ 
> 
> This appears to mean that any code running in taint mode that uses
> Module::Load::Conditional::can_load will fail hard.  This is causing a
> crash in msva-perl, which deliberately runs in taint mode and also may
> conditionally load a handful of pre-known modules if they are present
> on the system.
> 
> Marking this as important since it breaks msva-perl and probably other
> code.

Interestingly, if none of the modules that are trying to be loaded are
installed, this taint error does not show up, so the failures are
contingent on one of the conditionally-loaded modules actually being
present.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Tue, 10 Sep 2013 06:30:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 10 Sep 2013 06:30:08 GMT) Full text and rfc822 format available.

Message #17 received at 722210@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Jos Boumans <kane@cpan.org>, 717213@bugs.debian.org, 722210@bugs.debian.org
Subject: Module::Load::Conditional and taint mode
Date: Tue, 10 Sep 2013 02:26:32 -0400
[Message part 1 (text/plain, inline)]
It looks like some change introduced between 0.44 and 0.50 cause
Module::Load::Conditional::can_load to choke under taint mode.

I note that both http://bugs.debian.org/722210 and
http://bugs.debian.org/717213 are related to Module::Load::Conditional
failures under taint mode.  I suspect they're the same bug.

The versions of Module::Load::Conditional associated here are:

wheezy perl-modules                       0.44
wheezy libmodule-load-conditional-perl    0.50
sid    perl-modules                       0.54
sid    libmodule-load-conditional-perl    0.52
upstream                                  0.58


here's a carp trace on a system with 0.58 installed:
 
0 dkg@alice:/tmp/cdtemp.YOjk3A$ perl -MCarp::Always -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
	Module::Metadata::_evaluate_version_line('Module::Metadata=HASH(0x1063878)', '$', 'VERSION', '$VERSION = \'1.26\';') called at /usr/share/perl/5.18/Module/Metadata.pm line 580
	Module::Metadata::_parse_fh('Module::Metadata=HASH(0x1063878)', 'FileHandle=GLOB(0x10d3568)') called at /usr/share/perl/5.18/Module/Metadata.pm line 358
	Module::Metadata::_init('Module::Metadata', undef, '/usr/share/perl/5.18/Test.pm', 'handle', 'FileHandle=GLOB(0x10d3568)') called at /usr/share/perl/5.18/Module/Metadata.pm line 79
	Module::Metadata::new_from_handle('Module::Metadata', 'FileHandle=GLOB(0x10d3568)', '/usr/share/perl/5.18/Test.pm') called at /usr/share/perl5/Module/Load/Conditional.pm line 259
	Module::Load::Conditional::check_install('module', 'Test', 'version', undef) called at /usr/share/perl5/Module/Load/Conditional.pm line 417
	Module::Load::Conditional::can_load('modules', 'HASH(0xd22cb8)') called at -e line 1
25 dkg@alice:/tmp/cdtemp.YOjk3A$ 

I note that the upstream changelog only mentions taint mode once, from
years ago:

Changes for 0.24    Wed Jan  2 16:53:19 CET 2008
=================================================
* Readdress #29348 to make sure version comparisons
  handle alpha versions (XX_YY type) gracefully.
* Address #31680 to make sure $FIND_VERSION works
  nicely with taint mode enabled.


Jos, do you have any idea what is going on here, or if it's possible to
run Module::Load::Conditional while under taint mode?

Regards,

     --dkg
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Tue, 10 Sep 2013 06:39:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jos Boumans <jos@dwim.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 10 Sep 2013 06:39:12 GMT) Full text and rfc822 format available.

Message #22 received at 722210@bugs.debian.org (full text, mbox):

From: Jos Boumans <jos@dwim.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, bug-module-load-conditional@rt.cpan.org
Cc: Jos Boumans <kane@cpan.org>, 717213@bugs.debian.org, 722210@bugs.debian.org
Subject: Re: Module::Load::Conditional and taint mode
Date: Mon, 9 Sep 2013 23:34:29 -0700
adding to the bug tracker.

On 9 Sep 2013, at 23:26, Daniel Kahn Gillmor wrote:

> It looks like some change introduced between 0.44 and 0.50 cause
> Module::Load::Conditional::can_load to choke under taint mode.
> 
> I note that both http://bugs.debian.org/722210 and
> http://bugs.debian.org/717213 are related to Module::Load::Conditional
> failures under taint mode.  I suspect they're the same bug.
> 
> The versions of Module::Load::Conditional associated here are:
> 
> wheezy perl-modules                       0.44
> wheezy libmodule-load-conditional-perl    0.50
> sid    perl-modules                       0.54
> sid    libmodule-load-conditional-perl    0.52
> upstream                                  0.58
> 
> 
> here's a carp trace on a system with 0.58 installed:
> 
> 0 dkg@alice:/tmp/cdtemp.YOjk3A$ perl -MCarp::Always -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
> 	Module::Metadata::_evaluate_version_line('Module::Metadata=HASH(0x1063878)', '$', 'VERSION', '$VERSION = \'1.26\';') called at /usr/share/perl/5.18/Module/Metadata.pm line 580
> 	Module::Metadata::_parse_fh('Module::Metadata=HASH(0x1063878)', 'FileHandle=GLOB(0x10d3568)') called at /usr/share/perl/5.18/Module/Metadata.pm line 358
> 	Module::Metadata::_init('Module::Metadata', undef, '/usr/share/perl/5.18/Test.pm', 'handle', 'FileHandle=GLOB(0x10d3568)') called at /usr/share/perl/5.18/Module/Metadata.pm line 79
> 	Module::Metadata::new_from_handle('Module::Metadata', 'FileHandle=GLOB(0x10d3568)', '/usr/share/perl/5.18/Test.pm') called at /usr/share/perl5/Module/Load/Conditional.pm line 259
> 	Module::Load::Conditional::check_install('module', 'Test', 'version', undef) called at /usr/share/perl5/Module/Load/Conditional.pm line 417
> 	Module::Load::Conditional::can_load('modules', 'HASH(0xd22cb8)') called at -e line 1
> 25 dkg@alice:/tmp/cdtemp.YOjk3A$ 
> 
> I note that the upstream changelog only mentions taint mode once, from
> years ago:
> 
> Changes for 0.24    Wed Jan  2 16:53:19 CET 2008
> =================================================
> * Readdress #29348 to make sure version comparisons
>  handle alpha versions (XX_YY type) gracefully.
> * Address #31680 to make sure $FIND_VERSION works
>  nicely with taint mode enabled.
> 
> 
> Jos, do you have any idea what is going on here, or if it's possible to
> run Module::Load::Conditional while under taint mode?
> 
> Regards,
> 
>     --dkg




Set Bug forwarded-to-address to 'https://rt.cpan.org/Ticket/Display.html?id=88567'. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Tue, 10 Sep 2013 06:45:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Tue, 10 Sep 2013 06:57:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 10 Sep 2013 06:57:12 GMT) Full text and rfc822 format available.

Message #29 received at 722210@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Jos Boumans <jos@dwim.org>
Cc: bug-module-load-conditional@rt.cpan.org, Jos Boumans <kane@cpan.org>, 717213@bugs.debian.org, 722210@bugs.debian.org
Subject: Re: [rt.cpan.org #88567] Module::Load::Conditional and taint mode
Date: Tue, 10 Sep 2013 02:54:48 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/10/2013 02:34 AM, Jos Boumans wrote:
> On 9 Sep 2013, at 23:26, Daniel Kahn Gillmor wrote:
> 
>> It looks like some change introduced between 0.44 and 0.50 cause 
>> Module::Load::Conditional::can_load to choke under taint mode.

woops, sorry, i think i specified the version number wrong.  The
problem appears to have been introduced in 0.52.  I am unable to
reproduce it with 0.50.

the upstream changelog for 0.52 is:

Changes for 0.52    Sun Jul 29 10:06:44 BST 2012
=================================================
* Various enhancements, including now uses
  Module::Metadata (vpit)

	--dkg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQJ8BAEBCgBmBQJSLsI1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB
NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcO4wQAOfI5Kt4evHY0GmkH7+IIrM9
b/OscQcOi9jEt4s3DZmqyVOq95hE/ELbZ2D0RdiBgKl70J3rE2h5WvpxXLN8dgia
MdeFFUJQLW/QCyOYyZohfk6idPmgVVtYl+uiJFYLjelZpCPpXB1mFIpn2Y0PUWcN
NyGINwhd6ScsFy3g7aG0BePqK9HiawEcMkM3NgDZVeG0rJTNMpeyPqfScK6wUzA1
6BChWwcr6PCPcXvjDOn300Nxi3AyTJh8Nvtm4v2WCLNoXwQBUOIJVoRM/Nn5s53C
/25EWRkhkcXDT+i+bi7gaTIZ9iYAxtNAb0/PEw54uOY37fG2x46Ofn0M8KMjrD9x
gIplt9ksnscu6jgl3sf/J4wr+5jagLTXDJMbh9ptc+AStDw6LjPrehAkY8T9y1g4
0r4ralT+PKRncqda9Ka89HM9ntblNFSpyEsDGerr4OxhSupCqzKlcZFO0Kes+ZWr
LE1eBBTae+MyrhUxu86cS/FK0dbd4GGFjhkkPTRHxwTJxVwFZTq/xDn784WXE6th
YStv3qbQ1D9WNoKBAu9z2dzd4aLiaZBpSkud5spc9UgFENO+wjTnOkRmRtYvIEvI
b79Mj47RTN/rny3QmzUB4t3VyiBJ3YUvPbblPEMvUEYtbrsYJjA0ShmV8M3K1PPH
NRIjMm1QP+/kIPsdT0Go
=o9+C
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Tue, 10 Sep 2013 10:57:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to bug-Module-Load-Conditional@rt.cpan.org:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 10 Sep 2013 10:57:13 GMT) Full text and rfc822 format available.

Message #34 received at 722210@bugs.debian.org (full text, mbox):

From: "BINGOS via RT" <bug-Module-Load-Conditional@rt.cpan.org>
Cc: 722210@bugs.debian.org, dkg@fifthhorseman.net, 717213@bugs.debian.org, kane@cpan.org
Subject: [rt.cpan.org #88567] Re: Module::Load::Conditional and taint mode
Date: Tue, 10 Sep 2013 06:47:34 -0400
<URL: https://rt.cpan.org/Ticket/Display.html?id=88567 >

The problem is with Module::Metadata.

$ perl -MModule::Metadata -E 'say Module::Metadata->new_from_module( "Test" )->filename'
/opt/perl-5.18.1/lib/5.18.1/Test.pm

$ perl -TMModule::Metadata -E 'say Module::Metadata->new_from_module( "Test" )->filename'
Insecure dependency in eval while running with -T switch at /opt/perl-5.18.1/lib/site_perl/5.18.1/Module/Metadata.pm line 667, <GEN0> line 23.

I will raise a ticket with Module-Metadata maintainers.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#722210; Package perl-modules. (Wed, 11 Sep 2013 19:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Wed, 11 Sep 2013 19:51:07 GMT) Full text and rfc822 format available.

Message #39 received at 722210@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 717213@bugs.debian.org, 722210@bugs.debian.org
Subject: Module::Metadata and taint mode
Date: Wed, 11 Sep 2013 22:48:14 +0300
forwarded 717213 https://rt.cpan.org/Public/Bug/Display.html?id=88576
tag 717213 fixed-upstream 
forwarded 722210 https://rt.cpan.org/Public/Bug/Display.html?id=88576
tag 722210 fixed-upstream 
block 722210 by 717213 
thanks

#717213 and #722210 are the same issue. This was recently fixed upstream
in Module-Metadata 1.000018 or so. See [rt.cpan.org #88576].

It seems useful to track the issue in both perl-modules and
libmodule-metadata-perl, so I'm not merging the bugs.

Clearly libmodule-metadata-perl needs to be fixed first, otherwise
installing its broken version would override a fixed version in
perl-modules.

While perl and libmodule-metadata-perl in stable are affected [1],
the primary problem seems to be via use by Module-Load-Conditional,
which doesn't happen in stable. So I don't think we need a stable update
unless another vector shows up.

[1] as per the test by Chris Williams (BINGOS):
  perl -TMModule::Metadata -E 'say Module::Metadata->new_from_module( "Test" )->filename'

-- 
Niko Tyni   ntyni@debian.org



Changed Bug forwarded-to-address to 'https://rt.cpan.org/Public/Bug/Display.html?id=88576' from 'https://rt.cpan.org/Ticket/Display.html?id=88567' Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Wed, 11 Sep 2013 19:51:11 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Wed, 11 Sep 2013 19:51:12 GMT) Full text and rfc822 format available.

Added blocking bug(s) of 722210: 717213 Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Wed, 11 Sep 2013 19:51:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Wed, 11 Sep 2013 20:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to bug-Module-Load-Conditional@rt.cpan.org:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 11 Sep 2013 20:09:07 GMT) Full text and rfc822 format available.

Message #50 received at 722210@bugs.debian.org (full text, mbox):

From: "BINGOS via RT" <bug-Module-Load-Conditional@rt.cpan.org>
Cc: 722210@bugs.debian.org, dkg@fifthhorseman.net, 717213@bugs.debian.org, kane@cpan.org
Subject: [rt.cpan.org #88567] Re: Module::Load::Conditional and taint mode
Date: Wed, 11 Sep 2013 16:06:41 -0400
<URL: https://rt.cpan.org/Ticket/Display.html?id=88567 >

A release of Module::Metadata that resolves the issue
has been made available on CPAN, thanks to Karen Etheridge.

http://metacpan.org/release/ETHER/Module-Metadata-1.000018

Many thanks.



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#722210; Package perl-modules. (Wed, 11 Sep 2013 20:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 11 Sep 2013 20:21:07 GMT) Full text and rfc822 format available.

Message #55 received at 722210@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Niko Tyni <ntyni@debian.org>, 717213@bugs.debian.org
Cc: 722210@bugs.debian.org
Subject: Re: Bug#717213: Module::Metadata and taint mode
Date: Wed, 11 Sep 2013 22:17:35 +0200
hey Niko

On Wed, Sep 11, 2013 at 10:48:14PM +0300, Niko Tyni wrote:
> forwarded 717213 https://rt.cpan.org/Public/Bug/Display.html?id=88576
> tag 717213 fixed-upstream 
> forwarded 722210 https://rt.cpan.org/Public/Bug/Display.html?id=88576
> tag 722210 fixed-upstream 
> block 722210 by 717213 
> thanks
> 
> #717213 and #722210 are the same issue. This was recently fixed upstream
> in Module-Metadata 1.000018 or so. See [rt.cpan.org #88576].
> 
> It seems useful to track the issue in both perl-modules and
> libmodule-metadata-perl, so I'm not merging the bugs.
> 
> Clearly libmodule-metadata-perl needs to be fixed first, otherwise
> installing its broken version would override a fixed version in
> perl-modules.

Okay, just done by uploading the new upstream version to unstable.

Regards,
Salvatore



Added tag(s) pending. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Wed, 11 Sep 2013 22:21:25 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Thu, 12 Sep 2013 00:06:08 GMT) Full text and rfc822 format available.

Notification sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer. (Thu, 12 Sep 2013 00:06:08 GMT) Full text and rfc822 format available.

Message #62 received at 722210-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 722210-close@bugs.debian.org
Subject: Bug#722210: fixed in perl 5.18.1-4
Date: Thu, 12 Sep 2013 00:03:48 +0000
Source: perl
Source-Version: 5.18.1-4

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722210@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 11 Sep 2013 23:30:25 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-debug libperl5.18 libperl-dev perl-modules perl
Architecture: source all i386
Version: 5.18.1-4
Distribution: unstable
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.18 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 722210 722460
Changes: 
 perl (5.18.1-4) unstable; urgency=low
 .
   * Add Breaks on versions of libcommon-sense-perl which were built
     with earlier version of perl (Closes: #722460)
   * Add Module::Metadata fix for use in taint mode (Closes: #722210)
   * Update Lintian override for wrong-path-for-interpreter false
     positive
Checksums-Sha1: 
 a67cde02e466cf9aca63ba0e465dba7fdf391e6b 1705 perl_5.18.1-4.dsc
 02f9d5b1dba5237352a9cdc909dfeb87b7837ec1 132006 perl_5.18.1-4.debian.tar.gz
 2eb797c6cdd511a00d448a8c5a2a4113ca1cb0c1 77110 libcgi-fast-perl_5.18.1-4_all.deb
 1386ae9f6014572d456b9fc36740dc373d7e797d 7313728 perl-doc_5.18.1-4_all.deb
 7e47798ba9f990251965d6206f4978b31163a18a 2723152 perl-modules_5.18.1-4_all.deb
 dd8eb2e9da61fe25d808af948f90e8a367119c1a 1132888 perl-base_5.18.1-4_i386.deb
 b41f6b9bb488fdf0c8c48335f76808b78b6e3c09 5799218 perl-debug_5.18.1-4_i386.deb
 2f61182e814e6dc7b82b3446627c66f5a8421a65 626076 libperl5.18_5.18.1-4_i386.deb
 799a2d9426190800beee8ea1c70839ed168c4c1f 2116412 libperl-dev_5.18.1-4_i386.deb
 99db720a2cb3f71672b750993239db8e5ea1d558 2156422 perl_5.18.1-4_i386.deb
Checksums-Sha256: 
 7061f1e6fe683cff5acf41ec488fc6fe88e93ec1800448efec5435e446f0a25a 1705 perl_5.18.1-4.dsc
 dfa1579c34c2857e50da33c870d07560279d7e5068de76a9f567613d8c0b205f 132006 perl_5.18.1-4.debian.tar.gz
 9fccd502700e3e2f81a687e2beb97e004abf23387b7f2f7604df49ba36bf9434 77110 libcgi-fast-perl_5.18.1-4_all.deb
 c74f870aeb8a91088bbd50853f621e544b30d0bbc9cc261f8240636b1f850901 7313728 perl-doc_5.18.1-4_all.deb
 b6ada00ea6d1405f8b9ce90c9c0391bc55c294631f5345c08c92e58a16f2d454 2723152 perl-modules_5.18.1-4_all.deb
 2f60463bbda972c9f684d8feb16f7b2f2b2b91554c2e9cd0b1634779b4790fe6 1132888 perl-base_5.18.1-4_i386.deb
 3915d2df48835f091b2ec6e7da34a8f7753290203daadbf1153a3e3e5dcb367f 5799218 perl-debug_5.18.1-4_i386.deb
 ef6a792de9b8f056f6f5eea8c2bb37c4e5428d2efa2950d5bd0b6b8abf3e3480 626076 libperl5.18_5.18.1-4_i386.deb
 c2586905322deb57467902443443f957ab88cc985c047ff6cbafa92550453fd6 2116412 libperl-dev_5.18.1-4_i386.deb
 4abec84f26ed8611f8a70d0f7bb6627c81dfee15184ee9b0b4116f9a3158adcf 2156422 perl_5.18.1-4_i386.deb
Files: 
 3a2338ae34e3ae084ae4fdb6cb129723 1705 perl standard perl_5.18.1-4.dsc
 6684c1b6cc51881109a891926c7aa53b 132006 perl standard perl_5.18.1-4.debian.tar.gz
 b2286efaf5365020e21653961b0c3987 77110 perl optional libcgi-fast-perl_5.18.1-4_all.deb
 e27417344d2fc3b2b0ba4e1dfbb30203 7313728 doc optional perl-doc_5.18.1-4_all.deb
 8f9e7b36f8eab58c8300e5cac777fd29 2723152 perl standard perl-modules_5.18.1-4_all.deb
 70951e263fe096bbf5352d9f70730c6f 1132888 perl required perl-base_5.18.1-4_i386.deb
 cdb0a66f5b841652843527fc1f16d49d 5799218 debug extra perl-debug_5.18.1-4_i386.deb
 9b4bef240c184f0d0e0a973e1235fd77 626076 libs optional libperl5.18_5.18.1-4_i386.deb
 fadb7bb3408777270ba49353130fb4c1 2116412 libdevel optional libperl-dev_5.18.1-4_i386.deb
 f66d01ba70fcd19a04ea0c56ab81a4c9 2156422 perl standard perl_5.18.1-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iD8DBQFSMQBqYzuFKFF44qURAjSbAJ9aXy0MfERjwd7dSLnz7Ec+5YUBCACfUfVI
hJ0einWv8EQjKgS2t/3ecjc=
=XMdX
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 20 Oct 2013 07:27:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:00:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.