[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]

[perl #62512] Insecure dependency error in sprintf under -T

From: Eric Promislow (via RT) <perlbug-followup@perl.org>
Reply-To: perl5-porters@perl.org
To: bugs-bitbucket@netlabs.develooper.com
Date: Mon, 19 Jan 2009 16:26:54 -0800
Message-ID: <rt-3.6.HEAD-28035-1232411214-1753.62512-75-0@perl.org>

# New Ticket Created by  Eric Promislow 
# Please include the string:  [perl #62512]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=62512 >



This is a bug report for perl from ericp@activestate.com,
generated with the help of perlbug 1.36 running under perl 5.10.0.


-----------------------------------------------------------------
[Please enter your report here]

This is triggered under the Perl debugger in Komodo,
with ActivePerl 5.8.10, when a program is debugged
when it's run with the -T argument.  The data all
looks correctly untainted to me, but I can't track
where overload::AddrRef gets its arguments from in
such a way that the sprintf's format statement would
be tainted.  This is a tough repro.

Ref: http://bugs.activestate.com/show_bug.cgi?id=81647

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=library
    severity=low
---
Site configuration information for perl 5.10.0:

Configured by ActiveState at Wed May 14 05:06:16 PDT 2008.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.21-297-default, archname=i686-linux-thread-multi
    uname='linux gila 2.4.21-297-default #1 sat jul 23 07:47:39 utc 2005 i686 i686 i386 gnulinux '
    config_args='-ders -Dcc=gcc -Dusethreads -Duseithreads -Ud_sigsetjmp -Uinstallusrbinperl -Ulocincpth= -Uloclibpth= -Accflags=-DUSE_SITECUSTOMIZE -Duselargefiles -Accflags=-DPRIVLIB_LAST_IN_INC -Dprefix=/home/ericp/opt/ActivePerl-5.10.0.1003 -Dprivlib=/home/ericp/opt/ActivePerl-5.10.0.1003/lib -Darchlib=/home/ericp/opt/ActivePerl-5.10.0.1003/lib -Dsiteprefix=/home/ericp/opt/ActivePerl-5.10.0.1003/site -Dsitelib=/home/ericp/opt/ActivePerl-5.10.0.1003/site/lib -Dsitearch=/home/ericp/opt/ActivePerl-5.10.0.1003/site/lib -Dsed=/bin/sed -Duseshrplib -Dcf_by=ActiveState -Dcf_email=support@ActiveState.com'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DUSE_SITECUSTOMIZE -DPRIVLIB_LAST_IN_INC -fno-strict-aliasing -pipe -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DUSE_SITECUSTOMIZE -DPRIVLIB_LAST_IN_INC -fno-strict-aliasing -pipe'
    ccversion='', gccversion='3.3.1 (SuSE Linux)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =''
    libpth=/lib /usr/lib /usr/local/lib
    libs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/home/ericp/opt/ActivePerl-5.10.0.1003/lib/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2'

Locally applied patches:
    ACTIVEPERL_LOCAL_PATCHES_ENTRY
    33741 avoids segfaults invoking S_raise_signal() (on Linux)
    33763 Win32 process ids can have more than 16 bits
    32809 Load 'loadable object' with non-default file extension
    32728 64-bit fix for Time::Local

---
@INC for perl 5.10.0:
    /home/ericp/opt/ActivePerl-5.10.0.1003/site/lib
    /home/ericp/opt/ActivePerl-5.10.0.1003/lib
    .

---
Environment for perl 5.10.0:
    HOME=/home/ericp
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/ericp/bin:/usr/local/bin:/home/ericp/opt/ruby-1.8.6/bin:/home/ericp/opt/ActivePython-2.5.2.2/bin:/home/ericp/bin:/home/ericp/svn/apps/komodo/util/black:/home/ericp/opt/PDK-Pro-7.0.0.277058-linux/bin:/home/ericp/opt/ActivePerl-5.10.0.1003/bin:/usr/lib/qt-3.3/bin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/bin:/bin:/usr/bin:/home/ericp/opt/ActiveTcl8.5.4.0/bin:/home/ericp/bin
    PERLDOC_PAGER=less
    PERL_BADLANG (unset)
    SHELL=/bin/bash

Follow-Ups from:: "Rafael Garcia-Suarez" <rgarciasuarez@gmail.com>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]