Bug#794963: libnet-xmpp-perl: "Insecure dependency in eval (...) at /usr/share/perl5/Net/XMPP/Protocol.pm line 1007."

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Mon Aug 10 22:54:33 UTC 2015


It's getting interesting ...

Axel Beckert wrote:

> I'm sorry, but I failed to get that script working.
> 
> I tried with:
> 
> * My own server (cacert certificate, Net::XMPP::Client can't seem to
>   pass ssl_ca_path to XML::Stream)
> * Upstream's test server (connection refused despite I used the same
>   data as in their own test scripts)
> * locally installed jabberd2 (gave nothing 500 server error after I
>   had it purged and installed again)
> * locally installed prosody (connection timeout).

The easiest way for me to get an XMPP server running was to install
prosody, lua-sec, and libdigest-hmac-perl. Beware of #748721, edit
the certificate name in /etc/prosody/prosody.cfg.lua. Then use
prosodyctl to create an account.

If it's of any help, I can provide a root account on a test machine
for you, with a running prosody server. Send me your public ssh key.
But ... see below.

> I see currently two options:
> 
> a) you try to checkout
>    https://anonscm.debian.org/cgit/pkg-perl/packages/libnet-xmpp-perl.git
>    and build the package from there to test it.

Bad news: This is *not* a remedy against the error messages here.
Additionally, this raises new warnings (three times):

| WARNING: debug file () does not exist 
|          and is not writable by you.
|          No debug information being saved.

This also happens without any setuid quirks, the messages are
generated by

* /usr/share/perl5/XML/Stream.pm:401 (one time)
* /usr/share/perl5/XML/Stream/Parser.pm:135 (two times)

and I have no idea why. Good luck :)

> b) I'll upload the new upstream release without fixing this issue, you
>    try it afterwards in Sid oder Testing and I either close this issue
>    retroactively or try to fix it based on your feedback.

Modulo the above messages this is probably the way to go since there
are more problems on the political layer: If you run my small script
in Perl's taint mode, it will croak in other places:

| Insecure dependency in eval while running with -T switch at /usr/share/perl5/Authen/SASL/Perl.pm line 58.
|  at /usr/share/perl5/XML/Stream.pm line 2155.

So a can of worms is waiting to be opened ...

AND: While I managed to reproduce the issue in my usual test systems,
I failed to do so in a fresh, plain jessie install, the one I could
easily grant you access to. So I still cannot make you see it with
your own eyes.¹ At first, I really should find the differences between
these two installations. I'll get back to you then.

    Christoph

¹ At least the new "WARNING"s show up, though.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20150811/56367698/attachment.sig>


More information about the pkg-perl-maintainers mailing list