A couple of my friends on IRC have told me this, and since I'm using 10.4.11 I couldn't verify, but the latest Mac OS X Security Update 2009-001 apparently breaks your Perl, if you
- are using Mac OS X 10.5 (Leopard)
- and are using Perl that comes with Mac OS X
- and have upgraded several core modules with CPAN in the past
% perl -MIO IO object version 1.22 does not match bootstrap parameter 1.23 at /System/Library/Perl/5.8.8/darwin-thread-multi-2level/XSLoader.pm line 94. Compilation failed in require. BEGIN failed--compilation aborted.
This is because the Security Update brings (old) IO.bundle with version 1.22 but your IO.pm has been updated to the latest 1.23 on CPAN shell. (But hey, 1.23 was released in 2006 ... Why do you bring that ancient version back, Apple!?)
The fix is to update IO.pm to 1.23, but since IO.pm is now broken, you can't even run CPAN shell to do this (Ugh!). You need to go to CPAN and grab IO-1.2301.tar.gz, unpack it and run "perl Makefile.PL; make; sudo make install" to fix this. You probably need to do the same against Scalar::Util and Storable.
This is another reason why you shouldn't use Perl that comes from vendors (Apple isn't any different from Fedora on this!) or use stuff like local::lib to keep system modules clean.
You are a lifesaver.
Posted by: George Qualley IV | 2009.02.12 at 22:38
Thank you.
Posted by: Graham Miln | 2009.02.15 at 15:40
I tried all that and it didn't work. I ended up downloading Perl 5.10 and doing my own install of it.
I have not problems with that and I have what I need to keep working.
Posted by: Robert | 2009.02.16 at 14:23
Thanks for the coments., but what do you mean by "didn't work"? Maybe you need other modules to be fixed as well.
perldoc -t perllocal | perl -nle '/Module" (\S*)/ and $mod = $1;print $mod if /System/' | sort -u
might give you the list.
Posted by: miyagawa | 2009.02.16 at 14:28
If you use local::lib you also avoids this problem.
Posted by: kd | 2009.02.16 at 16:27
Yeah, as I mentioned in the post :D
Posted by: miyagawa | 2009.02.16 at 16:29
I like using a custom /usr/local/perl58 , /usr/local/perl56 etc. to avoid this problem (and others like Fedora's super-slowdown patch).
Posted by: Justin Mason | 2009.02.17 at 02:14
I think it may be even worse: Encode, Storable, threads, and Scalar::Util were also affected. There may be more I just haven't noticed yet.
Posted by: Andy Grundman | 2009.02.17 at 10:42
I ran that and it give me nothing back. When I say "didn't work" I mean that I downloaded and installed; IO, Scalar::Util and Storable.
I see Andy's post below where other modules might be affected as well.
I am running at Perl 5.10 now...so I am fine.
Posted by: Robert | 2009.02.17 at 12:46
Here's a full list of Perl-related changes in the security patch.
% lsbom -f -s /Library/Receipts/boms/com.apple.pkg.update.security.2009.001.bom | grep -i perl
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/CORE/config.h
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/CORE/embed.h
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/CORE/libperl.dylib
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/CORE/patchlevel.h
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/CORE/proto.h
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/Config_heavy.pl
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/B/B.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/B/C/C.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/ByteLoader/ByteLoader.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Cwd/Cwd.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/DB_File/DB_File.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Data/Dumper/Dumper.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Devel/DProf/DProf.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Devel/PPPort/PPPort.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Devel/Peek/Peek.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Digest/MD5/MD5.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/DynaLoader/DynaLoader.a
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/Byte/Byte.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/CN/CN.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/EBCDIC/EBCDIC.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/Encode.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/JP/JP.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/KR/KR.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/Symbol/Symbol.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/TW/TW.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Encode/Unicode/Unicode.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Fcntl/Fcntl.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/File/Glob/Glob.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Filter/Util/Call/Call.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/I18N/Langinfo/Langinfo.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/IO/IO.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/IPC/SysV/SysV.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/List/Util/Util.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/MIME/Base64/Base64.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/NDBM_File/NDBM_File.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Opcode/Opcode.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/POSIX/POSIX.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/PerlIO/encoding/encoding.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/PerlIO/scalar/scalar.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/PerlIO/via/via.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/SDBM_File/SDBM_File.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Socket/Socket.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Storable/Storable.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Sys/Hostname/Hostname.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Sys/Syslog/Syslog.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Time/HiRes/HiRes.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/Unicode/Normalize/Normalize.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/XS/APItest/APItest.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/XS/Typemap/Typemap.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/attrs/attrs.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/re/re.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/threads/shared/shared.bundle
./System/Library/Perl/5.8.8/darwin-thread-multi-2level/auto/threads/threads.bundle
./System/Library/Perl/5.8.8/pods/perldiag.pod
./usr/bin/perl
./usr/bin/perl5.8.8
./usr/bin/perlbug
./usr/share/man/man1/find2perl.1.gz
./usr/share/man/man1/perlbug.1.gz
./usr/share/man/man1/perlcc.1.gz
./usr/share/man/man1/perldiag.1.gz
./usr/share/man/man1/perlivp.1.gz
Posted by: J Greely | 2009.02.18 at 16:20
Here's what I suspect happened.
Apple patched and recompiled perl, but left the modules the same. This resulted in different compiled .bundle's but the same .pm. They then just did a diff against their old files and shipped what was different.
Reason #3098 to leave the vendor's perl alone.
Posted by: Schwern | 2009.02.22 at 19:01
Thanks for the tips. I hadn't used Perl since the patch until this weekend, so I'm late to the game.
Just for information, I had to re-install IO, Scalar::Util, and Compress::Zlib to get my system going again.
At this moment, it looks like I'm back in business.
Posted by: mpeever | 2009.02.28 at 18:05
I didn't get bit by this because I hadn't heavily used perl yet, but I'm about to start. What's the right way to install your own perl on Mac OS X? Are you aware of any instructions?
Posted by: Steven Fisher | 2009.03.04 at 11:41
Thank you! This really helped me out.
Posted by: Lúthien | 2009.03.05 at 12:09
This saved my bacon, thanks.
Posted by: uurf | 2009.03.09 at 16:56
I work on perl at Apple, and would like to take the opportunity to apologize for the unforeseen problems that the 2009-001 security update has caused. As others have explained, the root cause of the problem is how perl has historically (and on all platforms) ordered its module directory search path. The system perl directory (on Mac OS X, /System/Library/Perl/5.8.8) comes before the site-specific ones (e.g., /Library/Perl/5.8.8). This means that if you try to update a module in the system perl directory by installing it in a site-specific directory like you normally would any other perl module, the search path order would result in the old module being found first. So, the only way to do this kind of update is to directly overwrite the module in the system perl directory. The cpan command has an option (INSTALLDIRS=perl) specifically for this purpose.
Apple has always reserved the right to modify files in /System for software and security updates. Most users do stay away from /System, but using the cpan command to install a third party module can indirectly cause system perl modules to be updated. The system perl modules that have both a perl side (a .pm file) and a binary side (a .bundle file) are the ones that might be affected by 2009-001. In this case, 2009-001 installed many original version .bundle files with security fixes, but not their corresponding .pm files (since they weren't modified). So when the newer version .pm file tries to load an older version .bundle file from 2009-001, it fails.
At the present, the only fix is to reinstall the affected module(s). We are working hard on a solution that should rectify this issue, and we will make this available in a future update.
Posted by: Edward Moy | 2009.03.23 at 01:52
Edward,
Thanks for your comment and I'm glad to know that you're working on resolving the issues!
Posted by: miyagawa | 2009.03.23 at 14:16
Thank you for the clear instructions! That #$!#$ apple update completely broke my entire analysis pipeline.
Posted by: Ruth | 2009.03.26 at 09:04
Thanks for documenting this on the web. Apple is acting irresponsibly.
need to reinstall Time::HiRes and Log::Log4perl.
did it trough cpan command after the fixes mentioned.
Posted by: marco | 2009.04.02 at 15:00
It seems that the last developer version of Mac OS X 10.5.7 "Juno" (build 9J44) update has a solution:
"Areas of Change
...
* Perl and Security 2009-001 update compatibility fix
...
"
http://news.worldofapple.com/archives/2009/04/07/developers-greeted-with-build-9j44-of-mac-os-x-1057/#more-2982
The update is expected to be released for the general public later this month.
Posted by: Svetoslav Agafonkin | 2009.04.08 at 05:17
Hi Ed,
Thanks for being so honest about the cause, wished more people would be.
But, there is one small problem in reinstalling the affected module(s): one will need to have the originals and/or a decent backup for this.
I've used a Powerbook G4 for almost six (6) years now, it is having its birthday on April 29. Still a marvellous machine to own. Recently I decided to upgrade to a brand new MacBook Pro (the one with the new battery), so I spent a lot of money, transferred my files, almost everything runs fine from the box, installed the latest fixes (of course including the 2009-001 security update :-) and then went to do the last hurdles, which I thought of being small hurdles, got MySQL up-and-running, loaded my databases, configure PHP, everything fine, even found the small joke in changing the location of mysql.sock, etc. Took be less that half a day ioncluding several sanity checks.
And then I started perl CPAN for installing DBI and DBD, did that before, thought it would not be a big deal, but alas. Found you post in trying to find an answer on the net. Installed an new private version of perl to test with, DBI and several other modules go fine but DBD is the problem.
I've only started working with Time Machine after that, so finding these files is impossible for me....
Is there a list of affected files and their original location, or are you preparing a quick patch in short time for which I could decide to wait. I'm not afraid of patching files down below, so don't worry, it's just I don't have them.....
Regards from The Netherlands,
Wim.
Posted by: Wim van Dommelen | 2009.04.10 at 09:51
Blogs are so interactive where we get lots of informative on any topics nice job keep it up !!
Posted by: Dissertation Writing Help | 2009.07.06 at 05:16
Wonderful article, this error was a stinkin' bugger to fix!
Thanks so much!
Posted by: Pepper Spray Keychain | 2009.07.21 at 14:41
Thanks for the nice article. Very vital info shared by you.exbi chao
Posted by: aman | 2009.07.26 at 11:24
I thought I reinstalled all I needed when I first read your nice post, but today I discovered that Unicode::Normalize is broken too. Well, the Perl related changes dumped by J Greely shows the whole mess.
I think I should definitely move to Perl 5.10.0 (who wants to re-install all the modules?).
Posted by: i-blis | 2009.08.03 at 09:50