Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Mar 2013 18:10:01 GMT
From:      Paul Beard <paulbeard@gmail.com>
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking
Message-ID:  <201303291810.r2TIA11X006761@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/177416; it has been noted by GNATS.

From: Paul Beard <paulbeard@gmail.com>
To: Darren Pilgrim <ports.maintainer@evilphi.com>
Cc: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>
Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking
Date: Fri, 29 Mar 2013 11:02:17 -0700

 This is actually a little weirder by the day. I don't know how file =
 timestamps would revert to older dates, as I seemed to be finding.=20
 
 This file is called out by postgrey when it bails on the taint error.=20
 ls -l /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20
 -r--r--r--  1 root  wheel  13572 May 13  2009 =
 /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
 
 If I remove the file, it then uses this one:
 
 ls -l /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
 -r--r--r--  1 root  wheel  13834 Mar 23 20:43 =
 /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
 
 Then I discovered that first file doesn't actually belong to perl-5.14 =
 but to p5-IO-1.25. The second one is installed by perl itself.=20
 
 We have never compared file sizes or hashes on these files.=20
 
 I pulled the list of ports needed to build postgrey:=20
 
 This port requires package(s) "db47-4.7.25.4 p5-BerkeleyDB-0.51 =
 p5-Digest-HMAC-1.03 p5-IO-Multiplex-1.13 p5-IO-Socket-INET6-2.69 =
 p5-Net-DNS-0.72 p5-Net-Server-2.007 p5-Parse-Syslog-1.10 p5-Socket6-0.23 =
 perl-5.14.2_3" to run.
 
 Then I ran deinstall distclean reinstall against each of them. I see =
 that p5-IO isn't on that list, though I assume the p5-IO-* ports depend =
 on it.=20
 
 If this is a b*rked install, it's very subtle.=20
 
 postgrey will run against either of these two files, assuming they =
 exist. It defaults to the older one that had the May 13 2009 timestamp =
 but still bails with the taint error if you choose to run with a port =
 but will run with the socket option. Still can't daemonize.=20
 
 [root@shuttle /usr/ports/devel/p5-IO]# ls -l =
 /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
 -r--r--r--  1 root  wheel  13834 Mar 23 20:43 =
 /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm
 [root@shuttle /usr/ports/devel/p5-IO]# ls -l =
 /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
 ls: /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm: No such =
 file or directory
 
 The timestamp on the Socket.pm is near identical to that of the perl =
 binary, suggesting that perl installs a Socket.pm of its own as part of =
 the base install. So p5-IO isn't a dependency of postgrey or the p5-IO-* =
 ports as that functionality is part of the base install of perl.=20
 
 I suppose the best approach now is to remove perl and everything that =
 depends on it, then reinstall it from scratch. But I have the strong =
 suspicion I'll end up in the same place, that I'll have multiple =
 IO::Socket files. It sounds like the p5-IO port should be deprecated if =
 it's in the base install.=20
 
 I really can't get my mind around how this happens: how can I remove the =
 file by deinstalling, verify that it's gone, reinstall from a cleaned =
 port directory, and end up with a file with an almost 4 year old =
 timestamp?=20
 
 [root@shuttle /usr/ports/devel/p5-IO]# make deinstall=20
 =3D=3D=3D>  Deinstalling for devel/p5-IO
 =3D=3D=3D>   Deinstalling p5-IO-1.25,1
 [root@shuttle /usr/ports/devel/p5-IO]# ls -l =
 /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20
 ls: /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm: No such =
 file or directory
 [root@shuttle /usr/ports/devel/p5-IO]# make reinstall=20
 =3D=3D=3D>  Installing for p5-IO-1.25,1
 =3D=3D=3D>   p5-IO-1.25,1 depends on file: /usr/local/bin/perl5.14.2 - =
 found
 =3D=3D=3D>   Generating temporary packing list
 Files found in blib/arch: installing files in blib/lib into architecture =
 dependent library tree
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/auto/IO/IO.so
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/auto/IO/IO.bs
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Pipe.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/File.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Select.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Poll.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Handle.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Dir.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Seekable.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket/INET.pm
 Installing /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket/UNIX.pm
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Pipe.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::File.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Select.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket::INET.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Socket::UNIX.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Poll.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Dir.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Handle.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO::Seekable.3
 Installing /usr/local/lib/perl5/5.14.2/man/man3/IO.3
 =3D=3D=3D>   Compressing manual pages for p5-IO-1.25,1
 =3D=3D=3D>   Registering installation for p5-IO-1.25,1
 [root@shuttle /usr/ports/devel/p5-IO]# ls -l =
 /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm=20
 -r--r--r--  1 root  wheel  13572 May 13  2009 =
 /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm
 
 So at this point, I think generating list of installed ports, removing =
 everything, and reinstalling from scratch seems like a good idea. =
 Tedious and likely to require a lot more supervision than I care to =
 provide. I have not found an automated way to do this other than to =
 simple list the ports as a list and build them. portmaster's man page =
 offers some guidance on a process but I never got it to run to =
 completion.=20
 
 Running this [ ls /var/db/pkg/p5* | grep : | sed 's/\(.*\)-/\1\ /' | cut =
 -d" " -f1] to generate a list of ports should work though it didn't last =
 time I tried it, obviously. What would be useful is a check to see if a =
 port is depended on.=20
 
 
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303291810.r2TIA11X006761>