Bug 197539 - perl-YAML 0.58: huge dependency chain, security issue
Summary: perl-YAML 0.58: huge dependency chain, security issue
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-YAML
Version: 5
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Steven Pritchard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-03 21:25 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 0.62-1.fc5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-08 18:34:55 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ville Skyttä 2006-07-03 21:25:38 UTC
The perl-YAML 0.58 update pulls in a huge chain of new dependencies:

$ rpm -q perl-YAML
perl-YAML-0.39-2

$ sudo yum update
[...]
Updating:
 perl-YAML               noarch     0.58-3.fc5       extras-i386        84 k
Installing for dependencies:
 perl-Algorithm-Diff     noarch     1.1901-1.fc5     extras-i386        54 k
 perl-Devel-Symdump      noarch     2.06-1           core               15 k
 perl-ExtUtils-CBuilder  noarch     0.18-1.fc5       extras-i386        27 k
 perl-ExtUtils-ParseXS   noarch     2.15-2.fc5       extras-i386        29 k
 perl-Module-Build       noarch     0.2801-1.fc5     extras-i386       230 k
 perl-Module-Install     noarch     0.63-1.fc5       extras-i386       120 k
 perl-Module-ScanDeps    noarch     0.61-1.fc5       extras-i386        31 k
 perl-Pod-Coverage       x86_64     0.17-5.fc5       extras             26 k
 perl-Pod-Readme         noarch     0.081-2.fc5      extras-i386        15 k
 perl-Spiffy             noarch     0.30-5.fc5       extras-i386        40 k
 perl-Test-Base          noarch     0.50-2.fc5       extras-i386        44 k
 perl-Test-Pod           noarch     1.24-2.fc5       extras-i386        11 k
 perl-Test-Pod-Coverage  noarch     1.08-2.fc5       extras-i386        11 k
 perl-Test-Portability-Files  noarch     0.05-1.fc5       extras-i386        20 k
 perl-Text-Diff          noarch     0.35-2.fc5       extras-i386        32 k


This seems excessive to me.  It appears to be due to the Test::Base dependency
in Test::YAML.  Do you know if Test::YAML is something that is supposed to be
shipped with the package in the first place, or just a (upstream) thinko?


Additionally, Test::YAML has "use lib 'lib'" in it which looks like a security
hole to me; it pushes a relative "lib" directory to front of @INC, which has
potential to result in loading arbitrary code if one happens to run something
which pulls in Test::YAML eg. while being in /tmp.

Comment 1 Steven Pritchard 2006-07-03 22:51:35 UTC
I'm sure the "use lib 'lib'" thing is there to test modules.

Do you think I should drop the Test::YAML module entirely, or would it be 
better to split it off to a sub-package?

Comment 2 Ville Skyttä 2006-07-04 06:17:50 UTC
I'd ask upstream first if it's really meant to be distributed or used only for
YAML's internal tests.  If the former, I'd probably split it.

No matter what "use lib 'lib'" is there for, it is a security issue, no?


Comment 3 Steven Pritchard 2006-07-07 13:58:21 UTC
(In reply to comment #2)
> I'd ask upstream first if it's really meant to be distributed or used only for
> YAML's internal tests.  If the former, I'd probably split it.

Reported upstream: http://rt.cpan.org//Ticket/Display.html?id=20342

> No matter what "use lib 'lib'" is there for, it is a security issue, no?

Sure.  The customary thing to do is run with "perl -Ilib" if that's what you want.



Comment 4 Steven Pritchard 2006-08-08 18:34:55 UTC
There has been no response to my RT ticket, and the world doesn't seem to have 
ended after I removed Test::YAML in devel, so I'm building 0.62 minus 
Test::YAML for FC-5 now.


Note You need to log in before you can comment on or make changes to this bug.