[
https://issues.apache.org/jira/browse/THRIFT-4929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17132990#comment-17132990
]
Jens Geyer commented on THRIFT-4929:
------------------------------------
[~xiaoqin.fu] I hereby ask you officially to send any PR you might have ready
for all of the issues related to this ticket, directly or indirectly or as a
duplicate, We will look at them ASAP.
In the future, when facing such problems, you may file a ticket, but PLEASE
leave out any security considerations in the public. If in doubt about a
particular issue, please contact priv...@thrift.apache.org explaining the
problem INCLUDING the security details. if there is no doubt, then please READ
and FOLLOW the ASF guidelines already linked above and in the other tickets.
Thank you.
> Sensitive information about socket input stream or output stream is leaked
> from TIOStreamTransport
> --------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4929
> URL: https://issues.apache.org/jira/browse/THRIFT-4929
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.11.0, 0.12.0
> Environment: Ubuntu 16.04.3 LTS
> Open JDK version "1.8.0_191" build 25.191-b12
> Reporter: xiaoqin.fu
> Priority: Major
> Attachments: TaintPath
>
>
> Operations: During Apache Thrift integration testing, I developed a
> calculator application with a client and a server. The client sent a
> computational command and get the result from the server. After I applied
> dynamic taint analyzer (distTaint), I found bugs from taint paths finally.
>
> The source: org.apache.thrift.transport.TIOStreamTransport:
> public int read(byte[] buf, int off, int len) throws TTransportException {
> if (inputStream_ == null) {
> throw new TTransportException(TTransportException.NOT_OPEN, "Cannot
> read from null inputStream");
> }
> int bytesRead;
> ......
> bytesRead = inputStream_.read(buf, off, len);
> ......
> }
> The sink: org.apache.thrift.transport.TIOStreamTransport,
> public void close() {
> if (inputStream_ != null) {
> try {
> inputStream_.close();
> } catch (IOException iox) {
> LOGGER.warn("Error closing input stream.", iox);
> }
> inputStream_ = null;
> }
> if (outputStream_ != null) {
> try {
> outputStream_.close();
> } catch (IOException iox) {
> LOGGER.warn("Error closing output stream.", iox);
> }
> outputStream_ = null;
> }
> }
> Sensitive information about socket input stream or output stream is leaked.
> The tainted path:
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.transport.TTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TTransport -->
> CalculatorService$add_result$add_resultStandardScheme -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport -->
> CalculatorService$add_result$add_resultStandardScheme -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport -->
> CalculatorService$add_result$add_resultStandardScheme -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$Client -->
> org.apache.thrift.protocol.TMessage -->
> org.apache.thrift.protocol.TField -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_result$add_resultStandardScheme -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_result$add_resultStandardScheme -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.protocol.TField -->
> CalculatorService$Client -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_result -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.protocol.TField -->
> CalculatorService$add_result$add_resultStandardScheme -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$Client -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$Client -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.protocol.TMessage -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_result$add_resultStandardScheme -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.protocol.TMessage -->
> CalculatorService$add_result$add_resultStandardScheme -->
> CalculatorService$add_args -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_result -->
> CalculatorService$add_args -->
> org.apache.thrift.TServiceClient -->
> CalculatorService$add_result -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_args -->
> CalculatorService$add_result$add_resultStandardScheme -->
> CalculatorService$add_result -->
> org.apache.thrift.EncodingUtils -->
> CalculatorClient -->
> CalculatorService$add_result -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_result -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.EncodingUtils -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.EncodingUtils -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.EncodingUtils -->
> CalculatorService$add_args -->
> CalculatorService$add_args$add_argsStandardSchemeFactory -->
> CalculatorClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_result$add_resultStandardSchemeFactory -->
> CalculatorService$add_result -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_args -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorService$add_args -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorClient -->
> CalculatorService$add_result -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TSocket -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport -->
> CalculatorClient -->
> CalculatorService$Client -->
> CalculatorService$add_args -->
> CalculatorService$add_result -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorClient -->
> CalculatorService$add_result -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.protocol.TProtocol -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.transport.TIOStreamTransport -->
> CalculatorService$Client -->
> CalculatorClient -->
> org.apache.thrift.transport.TSocket -->
> CalculatorClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorClient -->
> org.apache.thrift.EncodingUtils -->
> CalculatorService$Client -->
> org.apache.thrift.transport.TSocket -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.EncodingUtils -->
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TSocket -->
> org.apache.thrift.protocol.TProtocol -->
> org.apache.thrift.TServiceClient -->
> org.apache.thrift.transport.TSocket -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TSocket -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.EncodingUtils -->
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TSocket -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TSocket -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> CalculatorClient -->
> org.apache.thrift.protocol.TBinaryProtocol -->
> org.apache.thrift.transport.TIOStreamTransport
> I am going to submit a CVE, so please confirm this is not a true positive.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
