Red Hat Bugzilla – Bug 197539
perl-YAML 0.58: huge dependency chain, security issue
Last modified: 2007-11-30 17:11:36 EST
The perl-YAML 0.58 update pulls in a huge chain of new dependencies:
$ rpm -q perl-YAML
$ sudo yum update
perl-YAML noarch 0.58-3.fc5 extras-i386 84 k
Installing for dependencies:
perl-Algorithm-Diff noarch 1.1901-1.fc5 extras-i386 54 k
perl-Devel-Symdump noarch 2.06-1 core 15 k
perl-ExtUtils-CBuilder noarch 0.18-1.fc5 extras-i386 27 k
perl-ExtUtils-ParseXS noarch 2.15-2.fc5 extras-i386 29 k
perl-Module-Build noarch 0.2801-1.fc5 extras-i386 230 k
perl-Module-Install noarch 0.63-1.fc5 extras-i386 120 k
perl-Module-ScanDeps noarch 0.61-1.fc5 extras-i386 31 k
perl-Pod-Coverage x86_64 0.17-5.fc5 extras 26 k
perl-Pod-Readme noarch 0.081-2.fc5 extras-i386 15 k
perl-Spiffy noarch 0.30-5.fc5 extras-i386 40 k
perl-Test-Base noarch 0.50-2.fc5 extras-i386 44 k
perl-Test-Pod noarch 1.24-2.fc5 extras-i386 11 k
perl-Test-Pod-Coverage noarch 1.08-2.fc5 extras-i386 11 k
perl-Test-Portability-Files noarch 0.05-1.fc5 extras-i386 20 k
perl-Text-Diff noarch 0.35-2.fc5 extras-i386 32 k
This seems excessive to me. It appears to be due to the Test::Base dependency
in Test::YAML. Do you know if Test::YAML is something that is supposed to be
shipped with the package in the first place, or just a (upstream) thinko?
Additionally, Test::YAML has "use lib 'lib'" in it which looks like a security
hole to me; it pushes a relative "lib" directory to front of @INC, which has
potential to result in loading arbitrary code if one happens to run something
which pulls in Test::YAML eg. while being in /tmp.
I'm sure the "use lib 'lib'" thing is there to test modules.
Do you think I should drop the Test::YAML module entirely, or would it be
better to split it off to a sub-package?
I'd ask upstream first if it's really meant to be distributed or used only for
YAML's internal tests. If the former, I'd probably split it.
No matter what "use lib 'lib'" is there for, it is a security issue, no?
(In reply to comment #2)
> I'd ask upstream first if it's really meant to be distributed or used only for
> YAML's internal tests. If the former, I'd probably split it.
Reported upstream: http://rt.cpan.org//Ticket/Display.html?id=20342
> No matter what "use lib 'lib'" is there for, it is a security issue, no?
Sure. The customary thing to do is run with "perl -Ilib" if that's what you want.
There has been no response to my RT ticket, and the world doesn't seem to have
ended after I removed Test::YAML in devel, so I'm building 0.62 minus
Test::YAML for FC-5 now.