Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 130692
Status: rejected
Priority: 0/
Queue: Net-SSLeay

People
Owner: Nobody in particular
Requestors: biejunh [...] cn.ibm.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Attachments
static Strawberry Perl (32_64) 20190925_16_05_20191010_14_46_57.html



Subject: security vulnerabilities discovered on Net::SSLeay modules
Date: Sat, 12 Oct 2019 06:20:38 +0000
To: bug-Net-SSLeay [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Download (untitled) / with headers
text/plain 1.5k
Hello Net::SSLeay bug team, We are using Strawberry Perl 5.30.0.1 and some Perl modules on our application, according to company's security policy, we ran static code scanning for these open source code, but some security vulnerabilities are discovered during scanning. Net::SSLeay::Handle CWE: 266 API: Missing Setuid Caller: src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 107 call :write($ssl, $msg) src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 149 call :write($ssl, substr($buf, $offset, $len) src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 156 call "close($fileno) src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 232 call select($old_select) src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 149 call :write($ssl, substr($buf, $offset, $len) src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 156 call "close($fileno) src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 232 call select($socket) src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 107 call :write($ssl, $msg) src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 232 call select($old_select) src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 232 call select($socket) For the details, please refer to following reporting: Do you have any solution to fix these security issues ? It is very urgent for us to fix these issues for our project, could you take it as high priority ? Thanks in advance ! Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com

Message body is not shown because sender requested not to inline it.

Download (untitled) / with headers
text/plain 1.5k
Thanks for the report, Bie. On Sat Oct 12 08:25:33 2019, biejunh@cn.ibm.com wrote: Show quoted text
> We are using Strawberry Perl 5.30.0.1 and some Perl modules on our > application, according to company's security policy, we ran static code > scanning for these open source code, but some security vulnerabilities are > discovered during scanning. > Net::SSLeay::Handle > CWE: 266 > API: Missing Setuid > Caller: > src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 107 call :write($ssl, > $msg) > src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 149 call :write($ssl, > substr($buf, $offset, $len) > src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 156 call > "close($fileno) > src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 232 call > select($old_select) > src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 149 call :write($ssl, > substr($buf, $offset, $len) > src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 156 call > "close($fileno) > src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 232 call > select($socket) > src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 107 call :write($ssl, > $msg) > src\perl64\vendor\lib\Net\SSLeay\Handle.pm at line 232 call > select($old_select) > src\perl32\vendor\lib\Net\SSLeay\Handle.pm at line 232 call > select($socket) > > Do you have any solution to fix these security issues ?
These appear to be false positives in the code analyser you're using: the use of select(), write() and close() in Net::SSLeay::Handle doesn't present a privilege escalation risk. It should be safe to ignore these warnings.
Subject: Re: [rt.cpan.org #130692] security vulnerabilities discovered on Net::SSLeay modules
Date: Thu, 17 Oct 2019 12:27:39 +0000
To: bug-Net-SSLeay [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Download (untitled) / with headers
text/plain 74.1k

Message body is not shown because it is too large.

Download (untitled) / with headers
text/html 190.9k

Message body is not shown because it is too large.

Download (untitled)
image/gif 9.4k
(untitled)
Download (untitled) / with headers
text/plain 563b
On Thu Oct 17 13:57:08 2019, biejunh@cn.ibm.com wrote: Show quoted text
> We also find some issues by Perl Critic static code scan tool on > Net::SSLeay module, could you also help to investigate them ? > Thanks !
Recommendations from perlcritic(1) relate to source code style, but don't indicate the existence of security vulnerabilities per se. The Net-SSLeay code base is very mature, and predates many (possibly all?) best practices for programming in Perl - we have long-term plans to modernise the code base, including achieving some level of compliance with Perl::Critic.
Subject: Re: [rt.cpan.org #130692] security vulnerabilities discovered on Net::SSLeay modules
Date: Thu, 24 Oct 2019 16:06:12 +0800
To: bug-Net-SSLeay [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Download (untitled) / with headers
text/plain 1.4k
Hello Chris, Thanks for your quick response ! Do you mean those issues generated by perl critic are not related to security vulnerabilities ? and all these issues are related to best practices for programming in Perl ? Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com From: "Chris Novakovic via RT" <bug-Net-SSLeay@rt.cpan.org> To: biejunh@cn.ibm.com Date: 10/22/2019 07:34 AM Subject: [EXTERNAL] [rt.cpan.org #130692] security vulnerabilities discovered on Net::SSLeay modules <URL: https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D130692&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=korRcA8aMz9quHbPBIGsaEUKlXkDYnKx-HvlHi7-K_g&s=sWxoi3twlugimjiIl3zfWclgGzCCrTkn_PVBgqQwbf8&e= Show quoted text
>
On Thu Oct 17 13:57:08 2019, biejunh@cn.ibm.com wrote: Show quoted text
> We also find some issues by Perl Critic static code scan tool on > Net::SSLeay module, could you also help to investigate them ? > Thanks !
Recommendations from perlcritic(1) relate to source code style, but don't indicate the existence of security vulnerabilities per se. The Net-SSLeay code base is very mature, and predates many (possibly all?) best practices for programming in Perl - we have long-term plans to modernise the code base, including achieving some level of compliance with Perl::Critic.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.