Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612408 (perl-5.26-no-dot-inc) - [TRACKER] Perl modules fail due to "." removal from @INC on >=dev-lang/perl-5.26.0
Summary: [TRACKER] Perl modules fail due to "." removal from @INC on >=dev-lang/perl-5...
Status: CONFIRMED
Alias: perl-5.26-no-dot-inc
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Perl team
URL: http://blogs.perl.org/users/ryan_voot...
Whiteboard:
Keywords: Tracker
Depends on: 613720 625512 630090 634040 668250 675864 613358 613362 613366 613368 613378 613400 613404 613520 613522 613580 613582 613584 613586 613588 613590 613592 613594 613608 613614 613616 613618 613620 613624 613626 613630 613632 613636 613638 613640 613642 613708 613710 613718 613750 613752 613754 613756 613772 613802 613804 613808 613866 613870 613872 614122 614186 614210 614336 614338 614340 614342 614344 614346 614350 614352 614394 614404 614410 614412 614414 614418 614428 614430 614438 614446 614448 614450 614454 614462 614466 614472 614508 614530 614532 614536 614538 614612 614614 614620 614628 614632 614634 614636 614638 614640 614642 614644 614646 614648 614650 614652 614660 614662 614670 614672 614678 614694 614788 614790 614798 614800 614802 614804 614806 614808 614812 614854 614920 614926 614934 614936 614946 614958 614962 614968 615016 615018 615026 615084 615086 615088 615094 615096 615098 615100 615104 615106 615108 615110 615112 615114 615116 615118 615122 615124 615126 615128 615130 615136 615138 615222 615224 615226 615234 615238 615240 615320 615496 615502 615504 615506 615508 615512 615514 615516 615582 615588 615590 615592 615598 615602 615604 615612 615626 615632 615684 615686 615688 615696 615698 615700 615702 615704 615706 615708 615710 615712 615714 615716 615718 615722 615726 615728 615732 615734 615738 615794 615800 615810 615820 615828 615830 615834 615840 615842 615844 616774 616836 616840 616844 616868 616908 616916 616920 616950 616954 616966 616970 616978 616980 616984 616992 616994 617002 617006 617008 617014 617040 617046 617048 617050 617054 617056 617102 617104 617108 617110 617112 617116 617118 617132 617134 617138 617140 617142 617144 617158 617760 620472 621528 622952 622998 623002 623004 623008 623010 623056 623062 623064 623068 623070 623072 623074 623076 623078 623080 623082 623086 623090 623094 623098 623100 623106 623108 623118 623120 623122 623124 623126 623128 623130 623136 623138 623140 623144 623146 623148 623182 623184 623186 623190 623196 623200 623202 623214 623216 623454 623578 623580 623594 625316 625318 625320 625576 627292 627678 629256 630474 632064 633722 634020 634184 634684 635464 636198 639876
Blocks: perl-5.26
  Show dependency tree
 
Reported: 2017-03-12 09:37 UTC by Kent Fredric (IRC: kent\n)
Modified: 2019-01-19 18:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kent Fredric (IRC: kent\n) gentoo-dev 2017-03-12 09:37:05 UTC
Tracker:

This tracker is to keep track of Perl based packages that need fixing for the 5.26 removal of "." from @INC, and will thus block 5.26 stabilization ( once it becomes a candidate for such )

Tracker will just start out being comments of affected packages for later work (after 5.26 actually enters tree), and eventually this tracker will be blocked by stabilization requests for necessary modules.

Context:

Prior to Perl 5.26, the Perl Module Load path was: 

   - /etc/
   - /usr/local/${libdir}/perl5/${perlversion}
   - /usr/${libdir}/perl5/vendor_perl/${perl_version}
   - /usr/${libdir}/perl5/${perl_version}
   - .

The last of which being an implied "look in $CWD" mechanic as a fallback if the other paths failed.

Due to a class of security holes where certain code could rely on a given module being missing ( eg: eval { require Module } || fallback  or simply unchecked "do $file" ), a malicious user could place vulnerable files in locations where they could anticipate a privileged user being when they execute a known vulnerable program.

5.26 closes this specific class of issue by removing the "fallback to CWD" mechanism, however, as a consequence affects a lot of code that was relying on that mechanism, where it wasn't an implicit security risk.

These typically are most visible in:

   - Class 1. Perl Module Installers ( eg: Makefile.PL / Build.PL execution )
   - Class 2. Perl Module Tests ( eg: t/* )

where expressions like

    use inc::Module::Install ; # ./inc/Module/Install.pm
    use t::Foo               ; # ./t/Foo.pm
or
     do "t/Foo.pm"          ;  # ./t/Foo.pm

Relied on this resolution for good effect, due to the assumable and safe stance that Installers and Tests are executed from an enforced CWD.

There is also plenty of code in the wild: Class 3 (esp. outside CPAN) that relies on CWD-relative loading for configuration parsing purposes, similar to how running "git" doesn't need any explicit path passing to work ( because CWD is assumable )

However, all of the above usecases break in 5.26 when 5.26 is compiled with -Ddefault_inc_excludes_dot ( The intended default ), and traditional behaviour can only be restored at a global level via passing -Udefault_inc_excludes_dot to Perl's ./configure 

Upstream are providing mitigations in some places for the "Installers" and "Tests" contexts, but the expected long-term plan is that these mitigations will eventually go away.

Upstream mitigations are employed by:

1. Setting PERL_USE_UNSAFE_INC=1 in CPAN clients if the ENV var is not already set.

2. Adding PERL_USE_UNSAFE_INC=1 in Test::Harness and `prove` if the ENV var is not set.

These strategies suppress all classes of errors, but only during install and test phases.

These are (mostly) satisfactory short term mitigations for classes 1 and 2, because they don't ever "live" outside that context.

However, they suppress real problems in class 3: Installed time.

Subsequently, we have no plans as such to suppress these classes of error in Portage, rather, to expose them and let them fail at the testers level and get them Fixed Properly, and then block 5.26 stabilization on the fixes themselves being stabilized.

End Users who have problems with this can simply set-and-forget PERL_USE_UNSAFE_INC=1 in a place or two, and these problems will go away ( at the price of security ).

News notifications will be sent closer to the time where they need to care.
Comment 1 Kent Fredric (IRC: kent\n) gentoo-dev 2017-03-18 12:12:04 UTC
<dev-perl/Devel-Symdump-2.180.0