Bug#737265: libdatetime-timezone-perl: DateTime::TimeZone::Local malfunctions under taint mode (perl -T)
Stephen Oberholtzer
stevie at qrpff.net
Fri Jan 31 22:47:18 UTC 2014
Package: libdatetime-timezone-perl
Version: 1.63-1+2013h
Severity: normal
Tags: upstream patch
Dear Maintainer,
Bugzilla versions 4.2 and 4.4 both malfunction under the latest Perl (5.18.2-2) and libdatetime-timezone-perl (1.63-1+2013h) with the message "Cannot determine local time zone".
This occurs because Bugzilla runs under "Taint Mode", where values from untrusted sources are marked as 'tainted'; certain risky operations (eval, exec/system, open file for writing) will fail when their arguments are tainted. This includes the mechanism used by the constructor for DateTime::TimeZone.
When DateTime::TimeZone::Local::Unix loads the time zone name from /etc/timezone, the zone name is tainted; then, when the name is passed to DateTime::TimeZone->new, it fails.
DateTime::TimeZone->new already securely validates the zone name before using it. Attached is a patch (created using quilt) that modifies that validation code such that it also untaints the zone name at the same time. It also adds a new test to the test suite to verify correct operation.
An equivalent patch has been submitted directly to the author of DateTime::TimeZone.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-taintmode-check
Type: text/x-diff
Size: 604 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20140131/b4451be5/attachment.diff>
More information about the pkg-perl-maintainers
mailing list