FS#18467 - [perl-date-manip] Time zone issues in perl tainted mode

Attached to Project: Arch Linux
Opened by ben123 (ben123) - Thursday, 25 February 2010, 22:31 GMT
Last edited by Kevin Piche (kpiche) - Friday, 10 June 2011, 02:32 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Kevin Piche (kpiche)
Thomas Bächler (brain0)
Francois Charette (Firmicus)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Ever since the following updates:

[2010-02-03 17:04] upgraded perl-date-manip (5.54-1 -> 6.05-1)
[2010-02-03 17:04] upgraded perl-error (0.17015-1 -> 0.17016-1)
[2010-02-03 17:04] upgraded perl-io-socket-ssl (1.30-1 -> 1.31-1)
[2010-02-03 17:04] upgraded perl-libwww (5.834-1 -> 5.834-2)
[2010-02-03 17:04] upgraded perl-mailtools (2.04-1 -> 2.06-1)
[2010-02-03 17:04] upgraded perl-timedate (1.16-3 -> 1.20-1)

I've had problems with one of the scripts in zoneminder that runs under tainted mode (perl -T). This issue has already been captured in the following Debian bug:

http://groups.google.com/group/linux.de … 571946fcb8

Additional info:
* package version(s)
perl-date-manip-6.07-3
* config and/or log files etc.

Steps to reproduce:

Basically, a simple script below will produce the following error.

[ben@ruyi ~]$ cat ./test.pl
#!/usr/bin/perl -T
use Date::Manip;

[ben@ruyi ~]$ ./test.pl
Insecure $ENV{PATH} while running with -T switch at /usr/share/perl5/vendor_perl/Date/Manip/TZ.pm line 588, <DATA> line 335.
Compilation failed in require at ./test.pl line 2, <DATA> line 335.
BEGIN failed--compilation aborted at ./test.pl line 2, <DATA> line 335.

The reason the filer ran into this issue on Debian was he used SysV timezone naming which wasn't supported. However, I'm running into this error not because of illegal naming (using America/Los_Angeles), but because /etc/timezone does not exist in Arch. Instead we set in in rc.conf.

When I manually created /etc/timezone with "America/Los_Angeles" in it, the error went away, so some package must be hardwired to look at /etc/timezone.

So whatever's querying the timezone (presumably perl-date-manip), could we make it do it the right way under Arch?
This task depends upon

Closed by  Kevin Piche (kpiche)
Friday, 10 June 2011, 02:32 GMT
Reason for closing:  Fixed
Additional comments about closing:  No longer a problem in 6.23.
Comment by ben123 (ben123) - Thursday, 25 February 2010, 22:32 GMT Comment by Francois Charette (Firmicus) - Tuesday, 09 March 2010, 09:56 GMT
Date::Manip::TZ also checks for the environment variable TZ. So the problem won't occur if you do:
export TZ="America/Los_Angeles"
perl -T -MDate::Manip -e '1'

Normally Date::Manip::TZ will find the timezone by calling "/bin/date +%Z", but this is not allowed in taint mode.

More generally, there is the legitimate question whether Arch should provide another way to query the timezone: should the initscripts create /etc/timezone after sourcing /etc/rc.conf? Or export TZ accordingly? I don't think we should patch Date/Manip/TZ.pm in perl-date-manip. I would rather advice to open a ticket with the maintainer(s) of zoneminder, who in turn can pass this on to the maintainer of Date::Manip if needed.

But in case something can/should be done with the initscripts, I am also assigning this to Thomas.
Comment by Caleb Cushing (xenoterracide) - Thursday, 29 July 2010, 17:02 GMT
I'm just curious... has this bug been reported upstream? I see a link to a debian bug... but that's not upstream... what do the actual perl module developers say?
Comment by Francois Charette (Firmicus) - Thursday, 29 July 2010, 21:04 GMT
You are welcome to file a bug report to the devs of Date::Manip and/or zoneminder if you want, with links to the debian bug report and this one :)
Comment by Kevin Piche (kpiche) - Friday, 18 February 2011, 16:24 GMT
I think the initscripts should set /etc/timezone but I don't know if that will affect any startup stuff.
Comment by Caleb Cushing (xenoterracide) - Friday, 18 February 2011, 21:54 GMT
I just get the feeling that this is a bug in upstream... a lot of perl modules don't sanitize things in a way that works with Taint, and some are quite proud of that... but no one here is apparently going to report to upstream... to find out if it's really a distro level bug. (I'm unwatching this btw)

Loading...