ports/177416: mail/postgrey has surfaced a bug in perl's taint checking
Paul Beard
paulbeard at gmail.com
Fri Mar 29 18:10:01 UTC 2013
The following reply was made to PR ports/177416; it has been noted by GNATS.
From: Paul Beard <paulbeard at gmail.com>
To: Darren Pilgrim <ports.maintainer at evilphi.com>
Cc: "bug-followup at FreeBSD.org" <bug-followup at FreeBSD.org>
Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking
Date: Fri, 29 Mar 2013 11:02:17 -0700
This is actually a little weirder by the day. I don't know how file =
timestamps would revert to older dates, as I seemed to be finding.=20
This file is called out by postgrey when it bails on the taint error.=20
ls -l /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20
-r--r--r-- 1 root wheel 13572 May 13 2009 =
/usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
If I remove the file, it then uses this one:
ls -l /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
-r--r--r-- 1 root wheel 13834 Mar 23 20:43 =
/usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
Then I discovered that first file doesn't actually belong to perl-5.14 =
but to p5-IO-1.25. The second one is installed by perl itself.=20
We have never compared file sizes or hashes on these files.=20
I pulled the list of ports needed to build postgrey:=20
This port requires package(s) "db47-4.7.25.4 p5-BerkeleyDB-0.51 =
p5-Digest-HMAC-1.03 p5-IO-Multiplex-1.13 p5-IO-Socket-INET6-2.69 =
p5-Net-DNS-0.72 p5-Net-Server-2.007 p5-Parse-Syslog-1.10 p5-Socket6-0.23 =
perl-5.14.2_3" to run.
Then I ran deinstall distclean reinstall against each of them. I see =
that p5-IO isn't on that list, though I assume the p5-IO-* ports depend =
on it.=20
If this is a b*rked install, it's very subtle.=20
postgrey will run against either of these two files, assuming they =
exist. It defaults to the older one that had the May 13 2009 timestamp =
but still bails with the taint error if you choose to run with a port =
but will run with the socket option. Still can't daemonize.=20
[root at shuttle /usr/ports/devel/p5-IO]# ls -l =
/usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
-r--r--r-- 1 root wheel 13834 Mar 23 20:43 =
/usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
[root at shuttle /usr/ports/devel/p5-IO]# ls -l =
/usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
ls: /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm: No such =
file or directory
The timestamp on the Socket.pm is near identical to that of the perl =
binary, suggesting that perl installs a Socket.pm of its own as part of =
the base install. So p5-IO isn't a dependency of postgrey or the p5-IO-* =
ports as that functionality is part of the base install of perl.=20
I suppose the best approach now is to remove perl and everything that =
depends on it, then reinstall it from scratch. But I have the strong =
suspicion I'll end up in the same place, that I'll have multiple =
IO::Socket files. It sounds like the p5-IO port should be deprecated if =
it's in the base install.=20
I really can't get my mind around how this happens: how can I remove the =
file by deinstalling, verify that it's gone, reinstall from a cleaned =
port directory, and end up with a file with an almost 4 year old =
timestamp?=20
[root at shuttle /usr/ports/devel/p5-IO]# make deinstall=20
=3D=3D=3D> Deinstalling for devel/p5-IO
=3D=3D=3D> Deinstalling p5-IO-1.25,1
[root at shuttle /usr/ports/devel/p5-IO]# ls -l =
/usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20
ls: /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm: No such =
file or directory
[root at shuttle /usr/ports/devel/p5-IO]# make reinstall=20
=3D=3D=3D> Installing for p5-IO-1.25,1
=3D=3D=3D> p5-IO-1.25,1 depends on file: /usr/local/bin/perl5.14.2 - =
found
=3D=3D=3D> Generating temporary packing list
Files found in blib/arch: installing files in blib/lib into architecture =
dependent library tree
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/auto/IO/IO.so
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/auto/IO/IO.bs
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Pipe.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/File.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Select.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Poll.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Handle.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Dir.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Seekable.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket/INET.pm
Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket/UNIX.pm
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Pipe.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::File.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Select.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket::INET.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket::UNIX.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Poll.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Dir.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Handle.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Seekable.3
Installing /usr/local/lib/perl5/5.14.2/man/man3/IO.3
=3D=3D=3D> Compressing manual pages for p5-IO-1.25,1
=3D=3D=3D> Registering installation for p5-IO-1.25,1
[root at shuttle /usr/ports/devel/p5-IO]# ls -l =
/usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20
-r--r--r-- 1 root wheel 13572 May 13 2009 =
/usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
So at this point, I think generating list of installed ports, removing =
everything, and reinstalling from scratch seems like a good idea. =
Tedious and likely to require a lot more supervision than I care to =
provide. I have not found an automated way to do this other than to =
simple list the ports as a list and build them. portmaster's man page =
offers some guidance on a process but I never got it to run to =
completion.=20
Running this [ ls /var/db/pkg/p5* | grep : | sed 's/\(.*\)-/\1\ /' | cut =
-d" " -f1] to generate a list of ports should work though it didn't last =
time I tried it, obviously. What would be useful is a check to see if a =
port is depended on.=20
More information about the freebsd-ports-bugs
mailing list