• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item7721: TWiki 6 fails with "insecure dependency" on recent (2016) Linux distributions
Item Form Data
| AppliesTo: | Component: | Priority: | CurrentState: | WaitingFor: | TargetRelease | ReleasedIn |
|---|---|---|---|---|---|---|
| Engine | Sessions | Normal | No Action Required | TWiki:Main.HaraldJoerg |
Edit Form Data
Detail
With Debian Jessie, and therefore probably with more distributions in the future, TWiki occasionally fails with = : A security fix in Debian, pushed their . As a consequence, some use cases for CPAN:CGI::Session broke with an insecure dependency. As of today, there's a new version of CGI::Session in Debian, but the error still occurs in TWiki. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810799 and https://rt.cpan.org/Public/Bug/Display.html?id=80346 for the history.
This needs work by twikizens for narrowing down the error: maybe it's in TWiki, maybe in CGI::Session, or even elsewhere.
-- TWiki:Main/HaraldJoerg - 2016-02-04
Unfortunately, for whatever reason, this now pops up with various Perl versions since 5.10.
Observations and tracing seem to indicate that the root cause is not in TWiki's source code itself, but in some library / C code on which TWiki depends. - 2016-08-04
I've been not very active with this lately, but here's my current best guess for a workaround: Downgrade - 2017-01-09
Good news - or bad news, depending on how to you look at it: With today's "stable" Debian system (Debian 9 AKA Stretch) I fail to reproduce the error - no taint failures however hard I try. The exactly same TWiki code and procedure (as described in my comment dated 2016-08-04) gives a taint failure on Debian 8, but works fine as it should on Debian 9. Confirmed with the system versions of - 2017-09-07
I'm closing this now: All clues indicate that this problem only occurs with TWiki and Perl 5.20, which unfortunately came with Debian Jessie and other popular Linux distributions. But as of now, the distributions ship with newer versions of Perl, and I failed to reproduce the bug with Perl 5.22, Perl 5.24, and Perl 5.26.
A workaround in all the situations where the bug appears is to close all browser windows (or, more technically, to delete all cookies from the TWiki server).
-- TWiki:Main.HaraldJoerg - 2017-12-19
Insecure dependency in sysopen while running with -T switch at /usr/share/perl5/CGI/Session/Driver/file.pm line 107. =
The issue came up in TWiki:Support.SID-02145: A security fix in Debian, pushed their perl package from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2: https://www.debian.org/security/2016/dsa-3441.en.html. As a consequence, some use cases for CPAN:CGI::Session broke with an insecure dependency. As of today, there's a new version of CGI::Session in Debian, but the error still occurs in TWiki. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810799 and https://rt.cpan.org/Public/Bug/Display.html?id=80346 for the history.
This needs work by twikizens for narrowing down the error: maybe it's in TWiki, maybe in CGI::Session, or even elsewhere.
-- TWiki:Main/HaraldJoerg - 2016-02-04
Unfortunately, for whatever reason, this now pops up with various Perl versions since 5.10.
Observations and tracing seem to indicate that the root cause is not in TWiki's source code itself, but in some library / C code on which TWiki depends. - The bug is not easily reproducible, and I have not managed to reproduce it outside of TWiki.
- We had several reports that deleting the TWiki session cookie is a workaround to get over the problem.
- This supports my assumption about the code path where the error is triggered: It happens whenever TWiki rejects a session cookie and creates a new one. This happens in some situations, e.g. when the client IP address changes, and is normally harmless, but now these sessions are somehow "tainted". Deleting the cookie enforces a fresh session and gets rid of the bogus session data. "Somehow" the rejected session lingers around.
print statements in various places for debugging. Strange enough, print in some places make the error go away, even if I just print a constant string. This might be a clue that the bug is in the C innards of Perl or some of its modules itself, but is too far from a proof. I hesitate to commit such a print statement as a "fix" for the problem.
My not-yet-automated procedure to reproduce the bug is as follows: - Create a TWiki session by just viewing a topic with a browser.
- Manually delete the session file on the server (I doubt that this happens in any real world situation, but it makes TWiki follow the same code paths).
- View another topic, or just "reload"
- Boom. But not always.
-T switch in the TWiki bin files. If there are no taint checks, then there is no insecure dependency. I don't like that because it gives away a security assertion for nothing, though we know that the cause of this problem is not an insecurity.
-- TWiki:Main.HaraldJoerg - 2016-08-04
I've been not very active with this lately, but here's my current best guess for a workaround: Downgrade Cwd, available from CPAN in the PathTools distribution, from 3.62 to 3.60.
-- TWiki:Main.HaraldJoerg - 2017-01-09
Good news - or bad news, depending on how to you look at it: With today's "stable" Debian system (Debian 9 AKA Stretch) I fail to reproduce the error - no taint failures however hard I try. The exactly same TWiki code and procedure (as described in my comment dated 2016-08-04) gives a taint failure on Debian 8, but works fine as it should on Debian 9. Confirmed with the system versions of CGI::Session as well as with those which come with TWiki.
As far as I am concerned, I'm likely to give up on this error. It is unlikely that TWiki code can do something about it (short of abandoning CGI::Session), and the taint failure did never indicate an actual security vulnerability.
-- TWiki:Main.HaraldJoerg - 2017-09-07
I'm closing this now: All clues indicate that this problem only occurs with TWiki and Perl 5.20, which unfortunately came with Debian Jessie and other popular Linux distributions. But as of now, the distributions ship with newer versions of Perl, and I failed to reproduce the bug with Perl 5.22, Perl 5.24, and Perl 5.26.
A workaround in all the situations where the bug appears is to close all browser windows (or, more technically, to delete all cookies from the TWiki server).
-- TWiki:Main.HaraldJoerg - 2017-12-19
| ItemTemplate | |
|---|---|
| Summary | TWiki 6 fails with "insecure dependency" on recent (2016) Linux distributions |
| ReportedBy |
TWiki:Main.HaraldJoerg
|
| Codebase | ~twiki4, 6.0.2, 6.0.1 |
| SVN Range | TWiki-6.0.2-trunk, Wed, 03 Feb 2016, build 29950 |
| AppliesTo | Engine |
| Component | Sessions |
| Priority | Normal |
| CurrentState | No Action Required |
| WaitingFor |
TWiki:Main.HaraldJoerg
|
| Checkins | |
| TargetRelease | |
| ReleasedIn | |
Topic revision: r5 - 2017-12-19 - HaraldJoerg
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback