Skip Menu |
 

This queue is for tickets about the Net-Server CPAN distribution.

Report information
The Basics
Id: 17090
Status: resolved
Priority: 0/
Queue: Net-Server

People
Owner: Nobody in particular
Requestors: LUPE [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.90
Fixed in: (no value)



Subject: Insecure dependency in exec while running with -T switch at /usr/local/lib/perl5/site_perl/5.8.7/Net/Server.pm line 1076.
Download (untitled) / with headers
text/plain 405b
Like #14155, this is a problem Munin encounters when it is restarted during logfile rotation on FreeBSD. The line in question is exec @{ $self->commandline }; in hup_server. $self->commandline is not untainted in _get_commandline. BTW, the detection for a relative path in the same sub isn't complete: $script =~ m|^\.+/| A relative path starts with anything but a '/', not just a '.'. Patch attached.
Subject: Net-Server.patch
Download Net-Server.patch
text/x-diff 800b
--- /usr/local/lib/perl5/site_perl/5.8.7/Net/Server.pm.orig Mon Dec 5 22:13:04 2005 +++ /usr/local/lib/perl5/site_perl/5.8.7/Net/Server.pm Mon Jan 16 16:26:49 2006 @@ -133,6 +133,7 @@ ### see if we can find the full command line if (open _CMDLINE, "/proc/$$/cmdline") { # unix specific my $line = do { local $/ = undef; <_CMDLINE> }; + ($line) = $line =~ /^(.*)$/; # untaint close _CMDLINE; if ($line) { return [split /\0/, $line]; @@ -140,7 +141,8 @@ } my $script = $0; - $script = $ENV{'PWD'} .'/'. $script if $script =~ m|^\.+/| && $ENV{'PWD'}; # add absolute to relative + $script = $ENV{'PWD'} .'/'. $script if $script !~ m|^\//| && $ENV{'PWD'}; # add absolute to relative + ($script) = $script =~ /^(.*)$/; # untaint return [ $script, @ARGV ] }
Download (untitled) / with headers
text/plain 472b
On Mon Jan 16 10:43:53 2006, LUPE wrote: Show quoted text
> Like #14155, this is a problem Munin encounters when it is restarted > during logfile rotation on FreeBSD. > > The line in question is exec @{ $self->commandline }; in hup_server. > > $self->commandline is not untainted in _get_commandline. > > BTW, the detection for a relative path in the same sub isn't complete: > $script =~ m|^\.+/| A relative path starts with anything but a '/', not > just a '.'. > > Patch attached.
Equivalent patches have been applied to the 0.94 release.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.