Bug#303308: [EMAIL PROTECTED]: Bug#303308: Patch for Perl untaint bug]
tag 303308 + pending
thanks
On Sun, Oct 30, 2005 at 03:45:52PM -0500, Chris Heath wrote:
On Sat, 2005-10-29 at 16:07 +1000, Brendan O'Dea wrote:
See: http://bugs.debian.org/303308 .
The following patch appears to correct the problem, although I'm not
sufficiently versed in the taint implementation to say that it's the
correct fix. An alternate fix is included in the bug report.
My reason for patching mg.c is that anywhere mg_get is called with
PL_tainted == 1, this corruption could occur. Here's another test case,
which patching scope.c doesn't fix:
#!/usr/bin/perl -Tw
my $tainted = substr($ENV{'PATH'}, 0, 0);
foo =~ m/(.*)/;
my $s = $1 . $tainted;
bar =~ m/(.$tainted*)/;
my $bar = $1;
my $test = 'print OK\n' . $tainted;
$test =~ m/(.*)/;
$test = $1; # try to untaint
eval($test);
OK. Applied, thanks.
--bod
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#303308: [EMAIL PROTECTED]: Bug#303308: Patch for Perl untaint bug]
Chris Heath wrote: On Sat, 2005-10-29 at 16:07 +1000, Brendan O'Dea wrote: See: http://bugs.debian.org/303308 . The following patch appears to correct the problem, although I'm not sufficiently versed in the taint implementation to say that it's the correct fix. An alternate fix is included in the bug report. My reason for patching mg.c is that anywhere mg_get is called with PL_tainted == 1, this corruption could occur. Here's another test case, which patching scope.c doesn't fix: Thanks, I applied Chris's patch as change #25932 to bleadperl (it looked saner to me.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#303308: [EMAIL PROTECTED]: Bug#303308: Patch for Perl untaint bug]
On Sat, 2005-10-29 at 16:07 +1000, Brendan O'Dea wrote:
See: http://bugs.debian.org/303308 .
The following patch appears to correct the problem, although I'm not
sufficiently versed in the taint implementation to say that it's the
correct fix. An alternate fix is included in the bug report.
My reason for patching mg.c is that anywhere mg_get is called with
PL_tainted == 1, this corruption could occur. Here's another test case,
which patching scope.c doesn't fix:
#!/usr/bin/perl -Tw
my $tainted = substr($ENV{'PATH'}, 0, 0);
foo =~ m/(.*)/;
my $s = $1 . $tainted;
bar =~ m/(.$tainted*)/;
my $bar = $1;
my $test = 'print OK\n' . $tainted;
$test =~ m/(.*)/;
$test = $1; # try to untaint
eval($test);
Chris
--bod
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#303308: [EMAIL PROTECTED]: Bug#303308: Patch for Perl untaint bug]
See: http://bugs.debian.org/303308 .
The issue described concerns $1 getting tainted when a __WARN__ handler
is called (undefined value) during the execution of an expression which
contains a tainted value. After this point, $1 is always tainted.
From what I can tell, $1 is being tainted from Perl_save_re_context,
invoked prior to the warn subroutine being called.
The following patch appears to correct the problem, although I'm not
sufficiently versed in the taint implementation to say that it's the
correct fix. An alternate fix is included in the bug report.
Thoughts?
--bod
[Test case from the bug report:]
#!/usr/bin/perl -Tw
$SIG{'__WARN__'} = sub {warn $_[0]};
my $tainted = substr($ENV{'PATH'}, 0, 0);
my $pat = Testing %s\n . $tainted;
foo =~ m/(.*)/;
my $foo = $1;
my $s = sprintf($pat, undef); # corrupts $1!!
bar =~ m/(.$tainted*)/;
my $bar = $1;
my $test = 'print OK\n' . $tainted;
$test =~ m/(.*)/;
$test = $1; # try to untaint
eval($test);
[Patch:]
diff -ur ../perl-5.8.7.broken/scope.c ../perl-5.8.7/scope.c
--- ../perl-5.8.7.broken/scope.c2005-01-20 10:56:27.0 +1100
+++ ../perl-5.8.7/scope.c 2005-10-29 15:55:08.697604021 +1000
@@ -210,6 +210,7 @@
if (SvGMAGICAL(osv)) {
MAGIC* mg;
bool oldtainted = PL_tainted;
+ TAINT_NOT;
mg_get(osv);/* note, can croak! */
if (PL_tainting PL_tainted
(mg = mg_find(osv, PERL_MAGIC_taint))) {
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#303308: Patch for Perl untaint bug
forwarded 303308 perl5-porters@perl.org thanks On Thu, Oct 20, 2005 at 09:27:24AM -0400, Chris Heath wrote: We were finally able to narrow this bug down to a small test case. I have also attached a patch that fixes it. Thanks Chris, Brendan, is there anything else you need from us to get this into unstable? Will you push this upstream, or should I write to p5p myself? I'm not quite sure about this fix, I've forwarded the bug with an alternate patch to p5p for comment. --bod -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#303308: Patch for Perl untaint bug
We were finally able to narrow this bug down to a small test case. I
have also attached a patch that fixes it.
#!/usr/bin/perl -Tw
$SIG{'__WARN__'} = sub {warn $_[0]};
my $tainted = substr($ENV{'PATH'}, 0, 0);
my $pat = Testing %s\n . $tainted;
foo =~ m/(.*)/;
my $foo = $1;
my $s = sprintf($pat, undef); # corrupts $1!!
bar =~ m/(.$tainted*)/;
my $bar = $1;
my $test = 'print OK\n' . $tainted;
$test =~ m/(.*)/;
$test = $1; # try to untaint
eval($test);
Output:
Use of uninitialized value in sprintf at - line 7.
Insecure dependency in eval while running with -T switch at - line 13.
In a nutshell, the bug was caused by having a single line that taints
and then calls a warning handler. After that, $1 becomes increasing
corrupted. (Insert Devel::Peek::Dump($1) at various points to see this.)
Brendan, is there anything else you need from us to get this into
unstable? Will you push this upstream, or should I write to p5p myself?
Chris Heath
AutoWeb Communications, Inc.
--- mg.c.bad 2005-10-04 11:29:10.0 -0400
+++ mg.c 2005-10-04 11:39:01.0 -0400
@@ -768,7 +768,10 @@
getrx:
if (i = 0) {
+ int oldtainted = PL_tainted;
+ TAINT_NOT;
sv_setpvn(sv, s, i);
+ PL_tainted = oldtainted;
if (RX_MATCH_UTF8(rx) is_utf8_string((U8*)s, i))
SvUTF8_on(sv);
else
