Closed Bug 1560873 Opened 6 years ago Closed 1 year ago

Insecure dependency in require while running with -T switch at Provider.pm line 576

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
5.0.4
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: cvut, Assigned: justdave, NeedInfo)

References

Details

Attachments

(5 files)

GitHub Pull Request for 4.4 branch
45 bytes, text/x-github-pull-request
Details | Review
GitHub Pull Request for 5.0.4 branch
45 bytes, text/x-github-pull-request
Details | Review
GitHub Pull Request for 5.2 branch
45 bytes, text/x-github-pull-request
Details | Review
GitHub Pull Request for master branch (5.1)
45 bytes, text/x-github-pull-request
Details | Review
GitHub Pull Request for harmony branch
43 bytes, text/x-github-pull-request
Details | Review

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

Bugzilla 5.0.4 installed on Fedora 30. Fedora has perl-Template-Toolkit version 2.28. It caused the same issue, so I installed Template 2.29.

Bugzilla runs in nginx+fcgiwrap env.

Actual results:

Bugzilla reports warnings like these:

[Mon Jun 24 11:04:52 2019] buglist.cgi: Use of uninitialized value $compiled in concatenation (.) or string at lib/x86_64-linux-thread-multi/Template/Provider.pm line 577.

[Mon Jun 24 11:04:52 2019] buglist.cgi: compiled template : Insecure dependency in require while running with -T switch at lib/x86_64-linux-thread-multi/Template/Provider.pm line 576.

Expected results:

I would expect no security warning.

We are also hitting exactly the same issue.
We are seeing the following type of errors in our Apache error_log:

[Fri Nov 15 11:49:15.067019 2019] [cgi:error] show_bug.cgi: Use of uninitialized value $compiled in concatenation (.) or string at lib/x86_64-linux-thread-multi/Template/Provider.pm line 577.:
[Fri Nov 15 11:49:15.067292 2019] [cgi:error] show_bug.cgi: compiled template : Insecure dependency in require while running with -T switch at lib/x86_64-linux-thread-multi/Template/Provider.pm line 576.:

Our Bugzilla version is 5.0.6 and we have installed on Amazon Linux release 2 (Karoo).

As far as we can tell this doesn't seem to have caused any actual usage issues - but is filling up our error_log!

Flags: needinfo?(cvut)

(In reply to Andrew Buesnel from comment #1)

We are also hitting exactly the same issue.
We are seeing the following type of errors in our Apache error_log:

[Fri Nov 15 11:49:15.067019 2019] [cgi:error] show_bug.cgi: Use of uninitialized value $compiled in concatenation (.) or string at lib/x86_64-linux-thread-multi/Template/Provider.pm line 577.:
[Fri Nov 15 11:49:15.067292 2019] [cgi:error] show_bug.cgi: compiled template : Insecure dependency in require while running with -T switch at lib/x86_64-linux-thread-multi/Template/Provider.pm line 576.:

Our Bugzilla version is 5.0.6 and we have installed on Amazon Linux release 2 (Karoo).

As far as we can tell this doesn't seem to have caused any actual usage issues - but is filling up our error_log!

Sorry, should also have put that we are using Template 2.29

Does anybody know whether there is a fix for this please?

I had the same issue. Downgrading TT to 2.26 worked for me will no ill effects so far.

sudo cpanm ABW/Template-Toolkit-2.27.tar.gz

Beg your pardon, I downgraded to 2.27, not 2.26

Same error seen on 5.0.6 on RHEL8 with perl-Template-Toolkit-2.29-3.el8.x86_64

Incrementing this with +1
We're also seeing this in 2.29 of perl-Template-Toolkit on RHEL8 w/5.0.6 of Bugzilla.

I am also seeing this with Bugzilla 5.0.6 on RHEL 8.6 (ppc64le), with perl-Template-Toolkit-2.29-4.el8.ppc64le. Arguably not a problem with Bugzilla, but has nobody found the root cause or come up with a patch so that downgrading the perl-Template-Toolkit package is not required?

(In reply to Steve Turner from comment #7)

I am also seeing this with Bugzilla 5.0.6 on RHEL 8.6 (ppc64le), with perl-Template-Toolkit-2.29-4.el8.ppc64le. Arguably not a problem with Bugzilla, but has nobody found the root cause or come up with a patch so that downgrading the perl-Template-Toolkit package is not required?

I think I answered my own question: https://github.com/abw/Template2/pull/259

Someone needs to petition RH to backport that patch to RHEL 8, I guess.

I spoke before testing the patch, and oddly enough it doesn't work for me. The $fpath variable that is being un-tainted by the patch refuses to be un-tainted in my environment (I used tainted() from Scalar::Util to verify this). The patch that worked for me is the much-maligned sledge-hammer approach of assigning the $fpath value to a hash key and using that instead. I'm sure there's a better solution.

Fix for Bugzilla: we need to blacklist this version of Template Toolkit in our prerequisite checks.

Blocks: bugzilla-4.4.14, bugzilla-5.0.4.1, bugzilla-5.2

OK, for the record:

The errant code was introduced in version 2.28 with https://github.com/abw/Template2/commit/d698d5c036aef8144cb4e105242b3421adbd4ac1
It was fixed upstream in version 3.008 with https://github.com/abw/Template2/commit/161e4c02b494defbc762247465dc23c74ef37d83

2.29 was the last 2.x release prior to 3.000. So we need to block 2.2[89] and 3.00[0-7]

Assignee: general → justdave
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

If you say that the problem has been fixed in 3.008, why do you also blacklist this version (instead of 3.007) in your patches for the 4.4, 5.0.4 and 5.2 branches?

Also, for 5.1, 5.2 and harmony, you should bump the min version of TT to 3.008 instead of keeping the old 2.24, see bug 1139446 explaining why TT < 2.27 should not be used and bug 1625554 explaining why it's time to leave TT 2.x alone and bump to TT 3.x.

(In reply to Frédéric Buclin from comment #18)

If you say that the problem has been fixed in 3.008, why do you also blacklist this version (instead of 3.007) in your patches for the 4.4, 5.0.4 and 5.2 branches?

It really makes me happy that you're still around poking at stuff and catching things like this, and now I feel like an idiot for missing that. 3.009 was the known-working version before I went commit-diving to figure out when they actually fixed it, so although I'm facepalming at goofing that up, that's where that came from.

Also, for 5.1, 5.2 and harmony, you should bump the min version of TT to 3.008 instead of keeping the old 2.24, see bug 1139446 explaining why TT < 2.27 should not be used and bug 1625554 explaining why it's time to leave TT 2.x alone and bump to TT 3.x.

I agree on the version bump for the newer branches. I will update the pull requests with these changes.

Thanks!

Blocks: 1625554
Blocks: 1139446

Still waiting for harmony actually... that PR is still waiting approval.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

and last but not least:
harmony: https://github.com/bugzilla/harmony/commit/58670c683f98783cd865589604810b9b7961211a

Now we can close it.

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → FIXED

A side note on this, Ubuntu 20.04, 22.04, and 23.04 all have Template Toolkit 2.27 in them (which is old enough to not trigger this bug, but not new enough for Bugzilla on version 5.2 since we decided to just require 3.008 instead of blocklisting the in-between broken ones...

Do we want to roll back to allowing 2.27 on 5.2 and blocking the newer broken ones to allow people with Ubuntu to install without headaches? Otherwise we're asking everyone to use CPAN to install Template::Toolkit (which I had to do to make the Docker image work), and that's the only required module that can't be provided by an OS package right now.

(In reply to Dave Miller [:justdave] from comment #23)

Do we want to roll back to allowing 2.27 on 5.2 and blocking the newer broken ones to allow people with Ubuntu to install without headaches? Otherwise we're asking everyone to use CPAN to install Template::Toolkit (which I had to do to make the Docker image work), and that's the only required module that can't be provided by an OS package right now.

I think it's fine to require 3.008 for 5.2. It's not that hard to install TT from CPAN. Moreover, TT 3.008 is available since March 2020, more than 4 years ago. Maybe someone should ask the Ubuntu maintainer to update it in their repo..

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: