Insecure dependency using IPC::Cmd in Perl 5.16.1

[p5pRT]

Migrated from rt.perl.org#115370 (status was 'resolved')

Searchable as RT115370$

[p5pRT]

From @jkeenan

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project. One issue
we've run into is an insecure dependency issue. It only happens with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and Strawberry
Perl on Windows.

This sounds like a bug report, so I have moved it into the RT system.
Please follow up at rt.perl.org.

Thank you very much.
Jim Keenan

[p5pRT]

From @jkeenan

Created by @jkeenan

[Reported on perl-perl5porters by George Clark <geoperl@​fenachrone.com>.]

We've been looking at using IPC​::Cmd in the Foswiki project.
One issue we've run into is an insecure dependency issue.
It only happens with Perl 5.16.1. I've confirmed it with
perlbrew on linux, and Strawberry Perl on Windows.

The IPC​::Cmd fails with any use, when it attempts to
determine if open3 or run are available. Here is a
demonstration​:

perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ ) };use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'

Insecure dependency in eval while running with -T switch at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/Module/Metadata.pm
line 631, <GEN3> line 14. at -e line 1, <GEN3> line 14.
main​::__ANON__('Insecure dependency in eval while running
with -T switch at /...') called at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/Module/Metadata.pm
line 631
 
Module​::Metadata​::_evaluate_version_line('Module​::Metadata=HASH(0x8435458)',
'$', 'VERSION', '$VERSION = "1.21";') called at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/Module/Metadata.pm
line 580

  Module​::Metadata​::_parse_fh('Module​::Metadata=HASH(0x8435458)',
'FileHandle=GLOB(0x8456898)') called at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/Module/Metadata.pm
line 358

  Module​::Metadata​::_init('Module​::Metadata', undef,
'/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/5.16.1/i686-li...',
'handle', 'FileHandle=GLOB(0x8456898)') called at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/Module/Metadata.pm
line 79

  Module​::Metadata​::new_from_handle('Module​::Metadata',
'FileHandle=GLOB(0x8456898)',
'/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/5.16.1/i686-li...')
called at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/Module/Load/Conditional.pm
line 257

  Module​::Load​::Conditional​::check_install('module',
'IO​::Select', 'version', 0.0) called at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/Module/Load/Conditional.pm
line 415

  Module​::Load​::Conditional​::can_load('modules',
'HASH(0x817ecc8)', 'verbose', 0) called at
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/5.16.1/IPC/Cmd.pm
line 156 IPC​::Cmd​::can_use_ipc_open3('IPC​::Cmd') called at
-e line 1

Perl Info

Flags:
    category=library
    severity=low
    module=IPC::Cmd

Site configuration information for perl 5.16.0:

Configured by jimk at Sun May 20 20:01:26 EDT 2012.

Summary of my perl5 (revision 5 version 16 subversion 0) configuration:
   
  Platform:
    osname=darwin, osvers=8.11.0, archname=darwin-2level
    uname='darwin macintosh-8.local 8.11.0 darwin kernel version 8.11.0: wed oct 10 18:26:00 pdt 2007; root:xnu-792.24.17~1release_ppc power macintosh powerpc '
    config_args='-des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fno-common -DPERL_DARWIN -fno-strict-aliasing -pipe -I/usr/local/include -I/opt/local/include',
    optimize='-O3',
    cppflags='-fno-common -DPERL_DARWIN -fno-strict-aliasing -pipe -I/usr/local/include -I/opt/local/include'
    ccversion='', gccversion='4.0.1 (Apple Computer, Inc. build 5250)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='env MACOSX_DEPLOYMENT_TARGET=10.3 cc', ldflags =' -L/usr/local/lib -L/opt/local/lib'
    libpth=/usr/local/lib /opt/local/lib /usr/lib
    libs=-ldbm -ldl -lm -lc
    perllibs=-ldl -lm -lc
    libc=, so=dylib, useshrplib=false, libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags=' -bundle -undefined dynamic_lookup -L/usr/local/lib -L/opt/local/lib'

Locally applied patches:
    


@INC for perl 5.16.0:
    /usr/local/lib/perl5/site_perl/5.16.0/darwin-2level
    /usr/local/lib/perl5/site_perl/5.16.0
    /usr/local/lib/perl5/5.16.0/darwin-2level
    /usr/local/lib/perl5/5.16.0
    /usr/local/lib/perl5/site_perl/5.14.2
    /usr/local/lib/perl5/site_perl/5.14.0
    /usr/local/lib/perl5/site_perl/5.12.0
    /usr/local/lib/perl5/site_perl/5.10.1
    /usr/local/lib/perl5/site_perl/5.10.0
    /usr/local/lib/perl5/site_perl
    .


Environment for perl 5.16.0:
    DYLD_LIBRARY_PATH=/Users/jimk/work/pseudoinstall/lib:/Users/jimk/gitwork/parrot/blib/lib
    HOME=/Users/jimk
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/opt/local/bin:/opt/local/sbin:/usr/local/bin:/opt/local/bin:/opt/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/Users/jimk/bin:/Users/jimk/bin/perl:/Users/jimk/bin/c:/Users/jimk/bin/shell:/sw/lib:/sw/bin:/Users/jimk/bin:/Users/jimk/bin/perl:/Users/jimk/bin/c:/Users/jimk/bin/shell:/sw/lib:/sw/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

[p5pRT]

From @jkeenan

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project. One issue
we've run into is an insecure dependency issue. It only happens with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and Strawberry
Perl on Windows.

I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ ) };use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @jkeenan

On Fri Oct 19 19​:50​:47 2012, jkeenan wrote​:

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project. One
issue
we've run into is an insecure dependency issue. It only happens with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and Strawberry
Perl on Windows.

I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ ) };use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####

I should have added that I'm running Perl 5.16.0 on both of those
machines. So that admits the possibility of a problem creeping in
between 5.16.0 and 5.16.1.

Thank you very much.
Jim Keenan

[p5pRT]

From [email protected]

On 10/19/2012 10​:54 PM, James E Keenan via RT wrote​:

On Fri Oct 19 19​:50​:47 2012, jkeenan wrote​:

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project. One
issue
we've run into is an insecure dependency issue. It only happens with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and Strawberry
Perl on Windows.
I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ ) };use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####
I should have added that I'm running Perl 5.16.0 on both of those
machines. So that admits the possibility of a problem creeping in
between 5.16.0 and 5.16.1.

Thank you very much.
Jim Keenan

Here are the details on the perl version where I've recreated it on
Linux. I can provide the same information for Strawberry on windows if
it would help.

Summary of my perl5 (revision 5 version 16 subversion 1) configuration​:
 
  Platform​:
  osname=linux, osvers=3.3.8-gentoo, archname=i686-linux
  uname='linux cardinal 3.3.8-gentoo #1 smp sun sep 16 10​:46​:38 edt
2012 i686 genuine intel(r) cpu t2500 @​ 2.00ghz genuineintel gnulinux '
  config_args='-de -Dprefix=/home/gac/perl5/perlbrew/perls/perl-5.16.1'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=undef, use64bitall=undef, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-fno-strict-aliasing -pipe -fstack-protector'
  ccversion='', gccversion='4.5.4', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib/../lib /usr/lib/../lib /lib /usr/lib
  libs=-lnsl -lndbm -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
  libc=/lib/libc-2.15.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.15'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib
-fstack-protector'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_DONT_CREATE_GVSV
  PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Sep 17 2012 11​:07​:24
  %ENV​:
  PERLBREW_BASHRC_VERSION="0.30"
  PERLBREW_HOME="/home/gac/.perlbrew"
  PERLBREW_LIB=""
  PERLBREW_MANPATH="/home/gac/perl5/perlbrew/perls/perl-5.16.1/man"
 
PERLBREW_PATH="/home/gac/perl5/perlbrew/bin​:/home/gac/perl5/perlbrew/perls/perl-5.16.1/bin"
  PERLBREW_PERL="perl-5.16.1"
  PERLBREW_ROOT="/home/gac/perl5/perlbrew"
  PERLBREW_VERSION="0.50"
  @​INC​:
 
/home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1/i686-linux
  /home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/site_perl/5.16.1
  /home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/5.16.1/i686-linux
  /home/gac/perl5/perlbrew/perls/perl-5.16.1/lib/5.16.1

[p5pRT]

From @b2gills

On Fri, Oct 19, 2012 at 9​:54 PM, James E Keenan via RT
<perlbug-followup@​perl.org> wrote​:

On Fri Oct 19 19​:50​:47 2012, jkeenan wrote​:

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project. One
issue
we've run into is an insecure dependency issue. It only happens with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and Strawberry
Perl on Windows.

I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ ) };use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####

I should have added that I'm running Perl 5.16.0 on both of those
machines. So that admits the possibility of a problem creeping in
between 5.16.0 and 5.16.1.

I have been able to reproduce this with 5.14.1 5.16.0 and 5.16.1
(64bit Ubuntu linux)

None of the tests pass with taint mode enabled for these modules​:

IPC​::Cmd
Module​::Metadata
Module​::Load
Module​::Load​::Conditional

( The last one reports the failure as coming from Test​::Builder )

I keep them up-to-date with CPAN, so that may be where the discrepancy
comes from.

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=115370

[p5pRT]

From @jkeenan

On Fri Oct 19 20​:17​:27 2012, brad wrote​:

On Fri, Oct 19, 2012 at 9​:54 PM, James E Keenan via RT
<perlbug-followup@​perl.org> wrote​:

On Fri Oct 19 19​:50​:47 2012, jkeenan wrote​:

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project.
One
issue
we've run into is an insecure dependency issue. It only
happens with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and
Strawberry
Perl on Windows.

I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ )
};use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####

I should have added that I'm running Perl 5.16.0 on both of those
machines. So that admits the possibility of a problem creeping in
between 5.16.0 and 5.16.1.

I have been able to reproduce this with 5.14.1 5.16.0 and 5.16.1
(64bit Ubuntu linux)

And I have now been able to reproduce the errors with blead​:

[same error output as originally reported]

./perl -I./lib -v
This is perl 5, version 17, subversion 5 (v5.17.5
(v5.17.4-332-g7b37959*)) built for darwin-2level

Thank you very much.
Jim Keenan

[p5pRT]

From @jkeenan

On Sat Oct 20 06​:49​:05 2012, jkeenan wrote​:

On Fri Oct 19 20​:17​:27 2012, brad wrote​:

On Fri, Oct 19, 2012 at 9​:54 PM, James E Keenan via RT
<perlbug-followup@​perl.org> wrote​:

On Fri Oct 19 19​:50​:47 2012, jkeenan wrote​:

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project.
One
issue
we've run into is an insecure dependency issue. It only
happens with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and
Strawberry
Perl on Windows.

I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ )
};use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####

I should have added that I'm running Perl 5.16.0 on both of those
machines. So that admits the possibility of a problem creeping in
between 5.16.0 and 5.16.1.

I have been able to reproduce this with 5.14.1 5.16.0 and 5.16.1
(64bit Ubuntu linux)

And I have now been able to reproduce the errors with blead​:

[same error output as originally reported]

./perl -I./lib -v
This is perl 5, version 17, subversion 5 (v5.17.5
(v5.17.4-332-g7b37959*)) built for darwin-2level

I should add that the errors came with taint mode; untainted worked
fined (no STDOUT or STDERR).

[p5pRT]

From @jkeenan

On Fri Oct 19 20​:17​:27 2012, brad wrote​:

On Fri, Oct 19, 2012 at 9​:54 PM, James E Keenan via RT
<perlbug-followup@​perl.org> wrote​:

On Fri Oct 19 19​:50​:47 2012, jkeenan wrote​:

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project.
One
issue
we've run into is an insecure dependency issue. It only happens
with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and
Strawberry
Perl on Windows.

I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ )
};use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####

I should have added that I'm running Perl 5.16.0 on both of those
machines. So that admits the possibility of a problem creeping in
between 5.16.0 and 5.16.1.

I have been able to reproduce this with 5.14.1 5.16.0 and 5.16.1
(64bit Ubuntu linux)

None of the tests pass with taint mode enabled for these modules​:

IPC​::Cmd
Module​::Metadata
Module​::Load
Module​::Load​::Conditional

( The last one reports the failure as coming from Test​::Builder )

I keep them up-to-date with CPAN, so that may be where the discrepancy
comes from.

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=115370

I looked at this ticket again this morning. To recap​:

#####
$ perl -T -e'use IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/5.18.0/Module/Metadata.pm line 631, <GEN3> line 14.
#####

Still present in blead.

IPC​::Cmd->can_use_ipc_open3() relies on this chain of functions​:

Module​::Load​::Conditional​::can_load
Module​::Load​::Conditional​::check_install
Module​::Metadata​::new_from_handle
Module​::Metadata​::_init
Module​::Metadata​::_parse_fh
Module​::Metadata​::_evaluate_version_line

And _evaluate_version_line contains a string 'eval' at what is now line 671 of lib/Module/Metadata.pm (v1.000019). Something tainted is causing that 'eval' to blow up. My hunch is that the insecure dependency is being introduced *above* the call to Module​::Metadata​::new_from_handle, but I haven't figured out how to write a test case for that.

Ideas?

Thank you very much.
Jim Keenan

[p5pRT]

From @jkeenan

On Sat Dec 14 07​:54​:10 2013, jkeenan wrote​:

On Fri Oct 19 20​:17​:27 2012, brad wrote​:

On Fri, Oct 19, 2012 at 9​:54 PM, James E Keenan via RT
<perlbug-followup@​perl.org> wrote​:

On Fri Oct 19 19​:50​:47 2012, jkeenan wrote​:

On Fri Oct 19 19​:42​:48 2012, jkeen@​verizon.net wrote​:

On 10/19/12 10​:07 PM, George Clark wrote​:

We've been looking at using IPC​::Cmd in the Foswiki project.
One
issue
we've run into is an insecure dependency issue. It only
happens
with
Perl 5.16.1. I've confirmed it with perlbrew on linux, and
Strawberry
Perl on Windows.

I was unable to reproduce this on either Darwin/PPC or Linux/i386​:

#####
$ perl -T -e'use Carp; $SIG{ __DIE__ } = sub { Carp​::confess( @​_ )
};use
IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
$
#####

I should have added that I'm running Perl 5.16.0 on both of those
machines. So that admits the possibility of a problem creeping in
between 5.16.0 and 5.16.1.

I have been able to reproduce this with 5.14.1 5.16.0 and 5.16.1
(64bit Ubuntu linux)

None of the tests pass with taint mode enabled for these modules​:

IPC​::Cmd
Module​::Metadata
Module​::Load
Module​::Load​::Conditional

( The last one reports the failure as coming from Test​::Builder )

I keep them up-to-date with CPAN, so that may be where the
discrepancy
comes from.

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=115370

I looked at this ticket again this morning. To recap​:

#####
$ perl -T -e'use IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
Insecure dependency in eval while running with -T switch at
/usr/local/lib/perl5/5.18.0/Module/Metadata.pm line 631, <GEN3> line
14.
#####

Still present in blead.

IPC​::Cmd->can_use_ipc_open3() relies on this chain of functions​:

Module​::Load​::Conditional​::can_load
Module​::Load​::Conditional​::check_install
Module​::Metadata​::new_from_handle
Module​::Metadata​::_init
Module​::Metadata​::_parse_fh
Module​::Metadata​::_evaluate_version_line

And _evaluate_version_line contains a string 'eval' at what is now
line 671 of lib/Module/Metadata.pm (v1.000019). Something tainted is
causing that 'eval' to blow up. My hunch is that the insecure
dependency is being introduced *above* the call to
Module​::Metadata​::new_from_handle, but I haven't figured out how to
write a test case for that.

The relevant code is this part of cpan/Module-Metadata/lib/Module/Metadata.pm, starting at line 514 in the version in blead​:

#####
sub _parse_fh {
  my ($self, $fh) = @​_;
...
  while (defined( my $line = <$fh> )) {
#####

$line is being read from a filehandle and is, therefore, tainted at this point. It is eventually passed to Module​::Metadata​::_evaluate_version_line(), inside of which the 'eval string' occurs, which is the point where the program fails due to the insecure dependency.

To resolve the problem in this ticket we would have to untaint $line after reading from the filehandle. Whether we *should* do that is something we'll have to discuss. Will ping the maintainer.

Thank you very much.
Jim Keenan

[p5pRT]

From @jkeenan

On Sat Dec 14 12​:59​:03 2013, jkeenan wrote​:
[snip]

The relevant code is this part of cpan/Module-
Metadata/lib/Module/Metadata.pm, starting at line 514 in the version

[snip]

To resolve the problem in this ticket we would have to untaint $line
after reading from the filehandle. Whether we *should* do that is
something we'll have to discuss. Will ping the maintainer.

Cross-filed this today​:
Perl-Toolchain-Gang/Module-Metadata#9

[p5pRT]

From @jkeenan

On Sat Dec 14 07​:54​:10 2013, jkeenan wrote​:

#####
$ perl -T -e'use IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
Insecure dependency in eval while running with -T switch at
/usr/local/lib/perl5/5.18.0/Module/Metadata.pm line 631, <GEN3> line
14.
#####

Still present in blead.

With recent updates to Module-Metadata, I believe this problem has been fixed in perl 5.20.0.

#####
[p5p] 7 $ perl -v | head -2 | tail -1
This is perl 5, version 20, subversion 0 (v5.20.0) built for x86_64-linux
[p5p] 8 $ perl -T -e'use IPC​::Cmd;IPC​::Cmd->can_use_ipc_open3();'
[p5p] 9 $
#####

Can the contributors to this RT please confirm this finding?

Once confirmed, we can close this ticket, and probably also​:

Perl-Toolchain-Gang/Module-Metadata#9
https://rt.cpan.org/Ticket/Display.html?id=89283

Thank you very much.
Jim Keenan

[p5pRT]

From @karenetheridge

On Tue Jun 03 15​:05​:12 2014, jkeenan wrote​:

With recent updates to Module-Metadata, I believe this problem has
been fixed in perl 5.20.0.
Can the contributors to this RT please confirm this finding?
Once confirmed, we can close this ticket, and probably also​:

Perl-Toolchain-Gang/Module-Metadata#9
https://rt.cpan.org/Ticket/Display.html?id=89283

Using the reproduction case in the first post to this ticket, I did a git
bisect in Module-Metadata's repository, and can confirm that the problem was
fixed by this commit​:

  commit 5ae49e269f33276abfc59fe5446aa3e02fa8699f
  Author​: Karen Etheridge <ether@​cpan.org>
  Date​: Tue Sep 10 17​:33​:08 2013 -0700

  detaint version, if needed (RT#88576, Chris Williams)

...which is in Module-Metadata-1.000017, first shipped with perl 5.19.5.

[p5pRT]

@jkeenan - Status changed from 'open' to 'resolved'