Description
This issue refers to the following ticket in the Perl 5 bug queue:
https://rt.perl.org/Ticket/Display.html?id=115370
And specifically to these two comments wherein I trace the OP's original problem to Module::Metadata:
https://rt.perl.org/Ticket/Display.html?id=115370#txn-1272193
https://rt.perl.org/Ticket/Display.html?id=115370#txn-1272238
To recap:
The relevant code is this part of cpan/Module-Metadata/lib/Module/Metadata.pm, starting at line 514 in the version in blead:
sub _parse_fh {
my ($self, $fh) = @_;
...
while (defined( my $line = <$fh> )) {
$line is being read from a filehandle and is, therefore, tainted at this point. It is eventually passed to Module::Metadata::_evaluate_version_line(), inside of which the eval string occurs, which is the point where the program fails due to the insecure dependency.
To resolve the problem in this ticket we would have to untaint $line after reading from the filehandle. Whether we should do that is something we'll have to discuss. Will ping the maintainer.
ISTR contacting Karen or someone else in Toolchain six months ago, but I could very well be mistaken about that. In any event, the problematic code can still be found in v0.22 of Module-Metadata. (v0.19 of Module-Metadata is the current version being distributed with Perl 5 core and will presumably go out with Perl 5.20.0 in the coming week.)
Can you investigate?
Thank you very much.
Jim Keenan