[
https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924873#comment-16924873
]
Jens Geyer commented on THRIFT-4928:
------------------------------------
let alone it's not only against the [established set of rules the ASF
follows|https://www.apache.org/security/committers.html], it is also against
any commonly accepted processes across the whole web. There is a reasomn why
these rukles have been set up and why there is a thing called "responsible
disclosure". Alone the fact that we talk about such an issue here in publicly
visible JIRA tickets is ... well, please insert whatever word you think may fit
in here on your own.
In the specific case of this ticket, although I may stand corrected, I don't
think it is a big deal. Let's just fix it and move on. Next time let's do
better.
> Sensitive information about expected and actual reading lengths (len, got) is
> leaked from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4928
> URL: https://issues.apache.org/jira/browse/THRIFT-4928
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.11.0, 0.12.0
> Environment: Ubuntu 16.04.3 LTS
> Open JDK version "1.8.0_191" build 25.191-b12
> Reporter: xiaoqin.fu
> Priority: Major
>
> Operations: During Apache Thrift integration testing, I developed a
> calculator application with a client and a server. The client sent a
> computational command and get the result from the server. After I applied
> dynamic taint analyzer (distTaint), I found bugs from taint paths finally.
> The source: org.apache.thrift.transport.TIOStreamTransport:
> public int read(byte[] buf, int off, int len) throws TTransportException {
> if (inputStream_ == null) {
> throw new TTransportException(TTransportException.NOT_OPEN, "Cannot
> read from null inputStream");
> }
> int bytesRead;
> ......
> bytesRead = inputStream_.read(buf, off, len);
> ......
> }
>
> The sink: org.apache.thrift.transport.TTransport,
> public int readAll(byte[] buf, int off, int len)
> throws TTransportException {
> ......
> if (ret <= 0) {
> throw new TTransportException(
> "Cannot read. Remote side has closed. Tried to read "
> + len
> + " bytes, but only got "
> + got
> + " bytes. (This is often indicative of an internal
> error on the server side. Please check your server logs.)");
> }
> ......
> }
> Sensitive information about expected and actual reading lengths (len, got)
> is leaked.
> The tainted path:
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.transport.TTransport
>
> I am going to submit a CVE, so please confirm this is not a true positive.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
