FS#18467 - [perl-date-manip] Time zone issues in perl tainted mode
Attached to Project:
Arch Linux
Opened by ben123 (ben123) - Thursday, 25 February 2010, 22:31 GMT
Last edited by Kevin Piche (kpiche) - Friday, 10 June 2011, 02:32 GMT
Opened by ben123 (ben123) - Thursday, 25 February 2010, 22:31 GMT
Last edited by Kevin Piche (kpiche) - Friday, 10 June 2011, 02:32 GMT
|
Details
Description:
Ever since the following updates: [2010-02-03 17:04] upgraded perl-date-manip (5.54-1 -> 6.05-1) [2010-02-03 17:04] upgraded perl-error (0.17015-1 -> 0.17016-1) [2010-02-03 17:04] upgraded perl-io-socket-ssl (1.30-1 -> 1.31-1) [2010-02-03 17:04] upgraded perl-libwww (5.834-1 -> 5.834-2) [2010-02-03 17:04] upgraded perl-mailtools (2.04-1 -> 2.06-1) [2010-02-03 17:04] upgraded perl-timedate (1.16-3 -> 1.20-1) I've had problems with one of the scripts in zoneminder that runs under tainted mode (perl -T). This issue has already been captured in the following Debian bug: http://groups.google.com/group/linux.de … 571946fcb8 Additional info: * package version(s) perl-date-manip-6.07-3 * config and/or log files etc. Steps to reproduce: Basically, a simple script below will produce the following error. [ben@ruyi ~]$ cat ./test.pl #!/usr/bin/perl -T use Date::Manip; [ben@ruyi ~]$ ./test.pl Insecure $ENV{PATH} while running with -T switch at /usr/share/perl5/vendor_perl/Date/Manip/TZ.pm line 588, <DATA> line 335. Compilation failed in require at ./test.pl line 2, <DATA> line 335. BEGIN failed--compilation aborted at ./test.pl line 2, <DATA> line 335. The reason the filer ran into this issue on Debian was he used SysV timezone naming which wasn't supported. However, I'm running into this error not because of illegal naming (using America/Los_Angeles), but because /etc/timezone does not exist in Arch. Instead we set in in rc.conf. When I manually created /etc/timezone with "America/Los_Angeles" in it, the error went away, so some package must be hardwired to look at /etc/timezone. So whatever's querying the timezone (presumably perl-date-manip), could we make it do it the right way under Arch? |
This task depends upon
Closed by Kevin Piche (kpiche)
Friday, 10 June 2011, 02:32 GMT
Reason for closing: Fixed
Additional comments about closing: No longer a problem in 6.23.
Friday, 10 June 2011, 02:32 GMT
Reason for closing: Fixed
Additional comments about closing: No longer a problem in 6.23.
http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/db4a5e571946fcb8
export TZ="America/Los_Angeles"
perl -T -MDate::Manip -e '1'
Normally Date::Manip::TZ will find the timezone by calling "/bin/date +%Z", but this is not allowed in taint mode.
More generally, there is the legitimate question whether Arch should provide another way to query the timezone: should the initscripts create /etc/timezone after sourcing /etc/rc.conf? Or export TZ accordingly? I don't think we should patch Date/Manip/TZ.pm in perl-date-manip. I would rather advice to open a ticket with the maintainer(s) of zoneminder, who in turn can pass this on to the maintainer of Date::Manip if needed.
But in case something can/should be done with the initscripts, I am also assigning this to Thomas.