pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/32812: Perl broken in 2005Q4: open with shell metas fails



        Note: There was a bad value `' for the field `Class'.
        It was set to the default value of `sw-bug'.

>Number:         32812
>Category:       pkg
>Synopsis:       Perl broken in 2005Q4: open with shell metas fails
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 13 04:35:00 +0000 2006
>Originator:     Anne Bennett
>Release:        NetBSD 3.0, pkgsrc 2005Q4 with CVS to 2006-02-12
>Environment:
System: NetBSD quill.porcupine.montreal.qc.ca 3.0 NetBSD 3.0 (QUILL_AMD64) #4: 
Mon Jan 2 17:33:19 EST 2006 
root%newquill.porcupine.montreal.qc.ca@localhost:/disks/nobak/netbsd/netbsd-3.0/src/sys/arch/amd64/compile/QUILL_AMD64
 amd64
Architecture: x86_64
Machine: amd64
>Description:
Perl fails to correctly execute an "open" statement on a command that
contains shell metacharacters.  This problem appeared within the past
week.  I was using pkgsrc "-current", and roughly tracking with CVS as
I tried to patch vulnerabilities, but the changes due to dependencies
were getting out of control and too many things were going wrong with
my system due to software changes and failures to reinstall, so this
evening I started backing down to the hopefully stable 2005Q4 branch.
I had assumed that this would fix Perl, but no.  There must be some
recent critical patch that had this as a side effect.
>How-To-Repeat:
Here is a tiny script that illustrates the problem:

  #!/usr/bin/perl -wT
  use strict;
  $ENV{"IFS"}  = " \t\n";
  $ENV{"PATH"} = "/bin:/usr/bin";
  #my $command        = "echo foo";
  my $command        = "echo foo ; echo moo";
  print("Issuing: $command\n");
  open (FOO, "$command |") or die "Error issuing: $!";
  while (<FOO>) { print("line: $_"); }
  close(FOO) or die "Error closing: $!";

When I run the above, the output is:

  Issuing: echo foo ; echo moo
  Error closing:  at /tmp/minitest line 12.


However when I run it with the other command, the one without the
shell metacharacter "semicolon", it behaves as expected:

  Issuing: echo foo
  line: foo

Note: I always "use strict" and "-wT", but just to show that those are
not triggering the problem, I stripped it down to:

  #!/usr/bin/perl
  #my $command        = "echo foo";
  my $command        = "echo foo ; echo moo";
  print("Issuing: $command\n");
  open (FOO, "$command |") or die "Error issuing: $!";
  while (<FOO>) { print("line: $_"); }
  close(FOO) or die "Error closing: $!";

... and the problem still occurs.

>Fix:
Sorry, don't know.  Not sure how this happened, but I believe it
was introduced in the past week.  If it cannot be fixed quickly,
it would be helpful to know which version is OK (in this respect),
as I have code that I use daily that it now broken.  I can probably
live with the vulnerability better than I can live without my code.

An additional data point: it's not inherent to 5.8.7, as I have an 
installation of 5.8.7 on a Linux machine at work (i386, not amd64),
and it doesn't have this problem.

Let me know if there's anything else I can test.




Home | Main Index | Thread Index | Old Index