On 09/09/2013 01:37 AM, Daniel Kahn Gillmor wrote:
> Package: perl-modules
> Version: 5.18.1-3
> Severity: important
> Control: affects -1 msva-perl
>
> in perl 5.14.2-21, the following command returns cleanly:
>
> perl -wTMModule::Load::Conditional -e
> 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
>
> 0 dkg@wheezy:~$ perl -wTMModule::Load::Conditional -e
> 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> 0 dkg@wheezy:~$
>
>
> but in perl 5.18.1-3, it fails harshly:
>
> 0 dkg@alice:~$ perl -wTMModule::Load::Conditional -e
> 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
> Insecure dependency in eval while running with -T switch at
> /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
> 25 dkg@alice:~$
>
> This appears to mean that any code running in taint mode that uses
> Module::Load::Conditional::can_load will fail hard. This is causing a
> crash in msva-perl, which deliberately runs in taint mode and also may
> conditionally load a handful of pre-known modules if they are present
> on the system.
>
> Marking this as important since it breaks msva-perl and probably other
> code.
Interestingly, if none of the modules that are trying to be loaded are
installed, this taint error does not show up, so the failures are
contingent on one of the conditionally-loaded modules actually being
present.
--dkg
signature.asc
Description: OpenPGP digital signature

