Date: Fri, 29 Mar 2013 18:10:01 GMT From: Paul Beard <paulbeard@gmail.com> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking Message-ID: <201303291810.r2TIA11X006761@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/177416; it has been noted by GNATS. From: Paul Beard <paulbeard@gmail.com> To: Darren Pilgrim <ports.maintainer@evilphi.com> Cc: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org> Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking Date: Fri, 29 Mar 2013 11:02:17 -0700 This is actually a little weirder by the day. I don't know how file = timestamps would revert to older dates, as I seemed to be finding.=20 This file is called out by postgrey when it bails on the taint error.=20 ls -l /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20 -r--r--r-- 1 root wheel 13572 May 13 2009 = /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm If I remove the file, it then uses this one: ls -l /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm -r--r--r-- 1 root wheel 13834 Mar 23 20:43 = /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm Then I discovered that first file doesn't actually belong to perl-5.14 = but to p5-IO-1.25. The second one is installed by perl itself.=20 We have never compared file sizes or hashes on these files.=20 I pulled the list of ports needed to build postgrey:=20 This port requires package(s) "db47-4.7.25.4 p5-BerkeleyDB-0.51 = p5-Digest-HMAC-1.03 p5-IO-Multiplex-1.13 p5-IO-Socket-INET6-2.69 = p5-Net-DNS-0.72 p5-Net-Server-2.007 p5-Parse-Syslog-1.10 p5-Socket6-0.23 = perl-5.14.2_3" to run. Then I ran deinstall distclean reinstall against each of them. I see = that p5-IO isn't on that list, though I assume the p5-IO-* ports depend = on it.=20 If this is a b*rked install, it's very subtle.=20 postgrey will run against either of these two files, assuming they = exist. It defaults to the older one that had the May 13 2009 timestamp = but still bails with the taint error if you choose to run with a port = but will run with the socket option. Still can't daemonize.=20 [root@shuttle /usr/ports/devel/p5-IO]# ls -l = /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm -r--r--r-- 1 root wheel 13834 Mar 23 20:43 = /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm [root@shuttle /usr/ports/devel/p5-IO]# ls -l = /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm ls: /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm: No such = file or directory The timestamp on the Socket.pm is near identical to that of the perl = binary, suggesting that perl installs a Socket.pm of its own as part of = the base install. So p5-IO isn't a dependency of postgrey or the p5-IO-* = ports as that functionality is part of the base install of perl.=20 I suppose the best approach now is to remove perl and everything that = depends on it, then reinstall it from scratch. But I have the strong = suspicion I'll end up in the same place, that I'll have multiple = IO::Socket files. It sounds like the p5-IO port should be deprecated if = it's in the base install.=20 I really can't get my mind around how this happens: how can I remove the = file by deinstalling, verify that it's gone, reinstall from a cleaned = port directory, and end up with a file with an almost 4 year old = timestamp?=20 [root@shuttle /usr/ports/devel/p5-IO]# make deinstall=20 =3D=3D=3D> Deinstalling for devel/p5-IO =3D=3D=3D> Deinstalling p5-IO-1.25,1 [root@shuttle /usr/ports/devel/p5-IO]# ls -l = /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20 ls: /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm: No such = file or directory [root@shuttle /usr/ports/devel/p5-IO]# make reinstall=20 =3D=3D=3D> Installing for p5-IO-1.25,1 =3D=3D=3D> p5-IO-1.25,1 depends on file: /usr/local/bin/perl5.14.2 - = found =3D=3D=3D> Generating temporary packing list Files found in blib/arch: installing files in blib/lib into architecture = dependent library tree Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/auto/IO/IO.so Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/auto/IO/IO.bs Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Pipe.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/File.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Select.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Poll.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Handle.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Dir.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Seekable.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket/INET.pm Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket/UNIX.pm Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Pipe.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::File.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Select.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket::INET.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket::UNIX.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Poll.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Dir.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Handle.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Seekable.3 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO.3 =3D=3D=3D> Compressing manual pages for p5-IO-1.25,1 =3D=3D=3D> Registering installation for p5-IO-1.25,1 [root@shuttle /usr/ports/devel/p5-IO]# ls -l = /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20 -r--r--r-- 1 root wheel 13572 May 13 2009 = /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm So at this point, I think generating list of installed ports, removing = everything, and reinstalling from scratch seems like a good idea. = Tedious and likely to require a lot more supervision than I care to = provide. I have not found an automated way to do this other than to = simple list the ports as a list and build them. portmaster's man page = offers some guidance on a process but I never got it to run to = completion.=20 Running this [ ls /var/db/pkg/p5* | grep : | sed 's/\(.*\)-/\1\ /' | cut = -d" " -f1] to generate a list of ports should work though it didn't last = time I tried it, obviously. What would be useful is a check to see if a = port is depended on.=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303291810.r2TIA11X006761>