Re: postgrey and perl-5.18.0

[Thomas Klausner <wiz%NetBSD.org@localhost>]

On Sun, Jul 14, 2013 at 03:56:33AM +0000, Valeriy E. Ushakov wrote:
> Valery Ushakov <uwe%stderr.spb.ru@localhost> wrote:
> 
> > I've just ran into the same problem.
> > 
> > Martin Husemann <martin%duskware.de@localhost> wrote:
> > 
> >> I removed the -T from the interpreter line and now it works.
> >> Of course this is not good (tm), but it points at the issue.
> >> Is there any way to get a stacktrace when a tainted check fails?
> >> On another machine I can break it even earlier:
> >> 
> >> # postgrey -v -i 2525
> >> 2013/06/01-19:47:40 postgrey (type Net::Server::Multiplex) starting! 
> >> pid(6443)
> >> Resolved [localhost]:2525 to [::1]:2525, IPv6
> >> Resolved [localhost]:2525 to [127.0.0.1]:2525, IPv4
> >> Binding to TCP port 2525 on host ::1 with IPv6
> >> Insecure dependency in socket while running with -T switch at 
> >> /usr/pkg/lib/perl5/5.18.0/i386-netbsd-thread-multi/IO/Socket.pm line 81.
> >> 
> >> That line is a socket() call, but I can not figure out from where
> >> it is called or with wich args.
> > 
> > ktrace'ing shows that perl complains about:
> > 
> >  ERROR: Insecure dependency in open while running with -T switch at
> >  /usr/pkg/lib/perl5/vendor_perl/5.18.0/Net/Server/Daemonize.pm line 75.
> > 
> > If you pre-create a pid-file, it complains about insecure dependency
> > on unlink :)
> 
> Thanks to moof@ for the hint.  pidfile argument is tainted.  dbdir is
> too, but it's untained at line 550, so I just added after that:
> 
>     # XXX: untaint pidfile
>     if($opt{pidfile}) { 
>         $opt{pidfile} =~ /^(.*)$/; $opt{pidfile} = $1;
>     }
> 
> and it works.

I've tried making that a patch for pkgsrc and including it in the
package. Please check if I understood correctly, and feed it upstream
in case there still is one.

Thanks,
 Thomas