Description: Ensure that we don't stop programs with Taint mode enabled from running.
 If Taint mode is enabled, then we can't use a tainted PATH. Require that
 a full path to the correct gpg binary is provided, and unset the PATH as
 needed.
Author: Andrew Ruthven
Bug: https://rt.cpan.org/Ticket/Display.html?id=133041
Last-Update: 2020-07-24

---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/lib/GnuPG/Interface.pm
+++ b/lib/GnuPG/Interface.pm
@@ -76,7 +76,7 @@
 sub BUILD {
     my ( $self, $args ) = @_;
 
-    $self->hash_init( call => 'gpg' );
+    $self->hash_init( call => '/usr/bin/gpg' );
     $self->hash_init(%$args);
     $self->_set_version($self->_version());
 }
@@ -340,7 +340,14 @@
             @commands,     @command_args
         );
 
-        exec @command or die "exec() error: $ERRNO";
+        if (${^TAINT}) {
+            my $old_path = $ENV{'PATH'};
+            $ENV{'PATH'} = '';
+            exec @command or die "exec() error: $ERRNO";
+            $ENV{'PATH'} = $old_path;
+        } else {
+            exec @command or die "exec() error: $ERRNO";
+        }
     }
 
     # parent
@@ -1195,9 +1202,9 @@
 
 =item call
 
-This defines the call made to invoke GnuPG.  Defaults to 'gpg'; this
-should be changed if 'gpg' is not in your path, or there is a different
-name for the binary on your system.
+This defines the call made to invoke GnuPG.  Defaults to '/usr/bin/gpg'.
+Modified on Debian to use the full path to protect against programs
+running in Taint mode.
 
 =item passphrase
 
--- /dev/null
+++ b/t/taint.t
@@ -0,0 +1,26 @@
+#!/usr/bin/perl -wT
+#
+# Ensure we can instatiate in Taint mode. Don't need to
+# do any work, as GnuPG::Interface runs the command we're going
+# to use to detect the version.
+
+use strict;
+
+use lib './t';
+use MyTest;
+
+use GnuPG::Interface;
+
+my $gnupg;
+
+# See that we instantiate an object in Taint mode
+TEST
+{
+    $gnupg = GnuPG::Interface->new( call => '/usr/bin/gpg' );
+};
+
+# See that version is set
+TEST
+{
+    defined $gnupg->version;
+};
--- a/t/MyTestSpecific.pm
+++ b/t/MyTestSpecific.pm
@@ -53,7 +53,7 @@
 
 $ENV{'GNUPGHOME'} = $homedir;
 
-$gnupg = GnuPG::Interface->new( passphrase => 'test', call => ($ENV{'CALL'} || 'gpg') );
+$gnupg = GnuPG::Interface->new( passphrase => 'test', call => ($ENV{'CALL'} || '/usr/bin/gpg') );
 $gnupg->options->hash_init( homedir              => $homedir,
                             armor                => 1,
                             meta_interactive     => 0,
