[
https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16910015#comment-16910015
]
Jens Geyer commented on THRIFT-4928:
------------------------------------
I may overlook sth, therefore I ask you to add some substance to the 3 claims
you made. If it is an issue, we absolutely should fix it, but first we need to
analyze the situation and get some clarity about what we are doing here, I'd say
1) Why do we need to start the process with an CVE?
2) Why is "The problem is found in a taint path" an actual problem in the given
context(s)?
5) Why do we have to confirm the claim you made?
Re 3: Given we have a problem with tainted values, if the values in the
variables are used only sometimes, don't we still have a problem sometimes
after applying the proposed fix?
Re 5 and since you did not really answer 2: How can an integer value rendered
into a string variable be a security issue, if the string is an exception
message that is not an executable statement in any form, manner or shape and
the values are very likely either known to the client anyways and/or of no
other significance, at least as far as I can tell?
> Sensitive information about expected and actual reading lengths (len, got) is
> leaked from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4928
> URL: https://issues.apache.org/jira/browse/THRIFT-4928
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.11.0, 0.12.0
> Environment: Ubuntu 16.04.3 LTS
> Open JDK version "1.8.0_191" build 25.191-b12
> Reporter: xiaoqin.fu
> Priority: Major
>
> Operations: During Apache Thrift integration testing, I developed a
> calculator application with a client and a server. The client sent a
> computational command and get the result from the server. After I applied
> dynamic taint analyzer (distTaint), I found bugs from taint paths finally.
> The source: org.apache.thrift.transport.TIOStreamTransport:
> public int read(byte[] buf, int off, int len) throws TTransportException {
> if (inputStream_ == null) {
> throw new TTransportException(TTransportException.NOT_OPEN, "Cannot
> read from null inputStream");
> }
> int bytesRead;
> ......
> bytesRead = inputStream_.read(buf, off, len);
> ......
> }
>
> The sink: org.apache.thrift.transport.TTransport,
> public int readAll(byte[] buf, int off, int len)
> throws TTransportException {
> ......
> if (ret <= 0) {
> throw new TTransportException(
> "Cannot read. Remote side has closed. Tried to read "
> + len
> + " bytes, but only got "
> + got
> + " bytes. (This is often indicative of an internal
> error on the server side. Please check your server logs.)");
> }
> ......
> }
> Sensitive information about expected and actual reading lengths (len, got)
> is leaked.
> The tainted path:
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.transport.TTransport
>
> I am going to submit a CVE, so please confirm this is not a true positive.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
