Skip Menu |
 

This queue is for tickets about the Crypt-CBC CPAN distribution.

Report information
The Basics
Id: 29646
Status: resolved
Priority: 0/
Queue: Crypt-CBC

People
Owner: Nobody in particular
Requestors: pauldoom [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 2.22
Fixed in: (no value)



Subject: Taint breakage when used with Crypt::Rijndael or Crypt::OpenSSL::AES
Download (untitled) / with headers
text/plain 1.1k
When used with taint enabled and with automatic salting (-salt = 1), the random bytes used for salt are not untainted. When later used as part of real key, the SvPOK(key) call used in the .xs files for Crypt::Rijndael and Crypt::OpenSSL::AES returns false resulting in this error (differs slightly between cipher modules): "Key must be a scalar at /usr/lib/perl5/vendor_perl/5.8.8/Crypt/CBC.pm line 367" Here is a one-liner to trigger the error (remove the -T flag to see it work correctly) $ perl -Te 'use Crypt::CBC;$c=Crypt::CBC->new(-key=>"pw", -cipher=>"Rijndael", -header=>"salt"); print unpack("H*", $c->encrypt("test")), "\n";' I suggest untainting $result in Crypt::CBC::_get_random_bytes(), as shown in the following diff. (This double checks the length, as well.) --- CBC.pm.orig 2007-09-27 17:24:32.000000000 -0500 +++ CBC.pm 2007-09-27 17:31:15.000000000 -0500 @@ -422,7 +422,9 @@ } else { $result = pack("C*",map {rand(256)} 1..$length); } - $result; + # Clear taint and check length + $result =~ /^(.{$length})$/s or croak "Invalid length while gathering $length randim bytes"; + $result = $1; } sub _standard_padding ($$$) {
Patch is accepted and will appear in release 2.24 Thanks!


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.