[ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16910015#comment-16910015 ]
Jens Geyer commented on THRIFT-4928: ------------------------------------ I may overlook sth, therefore I ask you to add some substance to the 3 claims you made. If it is an issue, we absolutely should fix it, but first we need to analyze the situation and get some clarity about what we are doing here, I'd say 1) Why do we need to start the process with an CVE? 2) Why is "The problem is found in a taint path" an actual problem in the given context(s)? 5) Why do we have to confirm the claim you made? Re 3: Given we have a problem with tainted values, if the values in the variables are used only sometimes, don't we still have a problem sometimes after applying the proposed fix? Re 5 and since you did not really answer 2: How can an integer value rendered into a string variable be a security issue, if the string is an exception message that is not an executable statement in any form, manner or shape and the values are very likely either known to the client anyways and/or of no other significance, at least as far as I can tell? > Sensitive information about expected and actual reading lengths (len, got) is > leaked from TIOStreamTransport to TTransport through a TTransportException > -------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: THRIFT-4928 > URL: https://issues.apache.org/jira/browse/THRIFT-4928 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.11.0, 0.12.0 > Environment: Ubuntu 16.04.3 LTS > Open JDK version "1.8.0_191" build 25.191-b12 > Reporter: xiaoqin.fu > Priority: Major > > Operations: During Apache Thrift integration testing, I developed a > calculator application with a client and a server. The client sent a > computational command and get the result from the server. After I applied > dynamic taint analyzer (distTaint), I found bugs from taint paths finally. > The source: org.apache.thrift.transport.TIOStreamTransport: > public int read(byte[] buf, int off, int len) throws TTransportException { > if (inputStream_ == null) { > throw new TTransportException(TTransportException.NOT_OPEN, "Cannot > read from null inputStream"); > } > int bytesRead; > ...... > bytesRead = inputStream_.read(buf, off, len); > ...... > } > > The sink: org.apache.thrift.transport.TTransport, > public int readAll(byte[] buf, int off, int len) > throws TTransportException { > ...... > if (ret <= 0) { > throw new TTransportException( > "Cannot read. Remote side has closed. Tried to read " > + len > + " bytes, but only got " > + got > + " bytes. (This is often indicative of an internal > error on the server side. Please check your server logs.)"); > } > ...... > } > Sensitive information about expected and actual reading lengths (len, got) > is leaked. > The tainted path: > org.apache.thrift.transport.TIOStreamTransport --> > org.apache.thrift.transport.TTransport > > I am going to submit a CVE, so please confirm this is not a true positive. -- This message was sent by Atlassian JIRA (v7.6.14#76016)