Skip Menu |
 

This queue is for tickets about the File-NFSLock CPAN distribution.

Report information
The Basics
Id: 42122
Status: open
Worked: 1 hour (60 min)
Priority: 0/
Queue: File-NFSLock

People
Owner: Nobody in particular
Requestors: converter42 [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 1.20
Fixed in:
  • 1.25
  • 1.26



Subject: Code for removal of stale locks causes exception in taint mode
Download (untitled) / with headers
text/plain 561b
Insecure dependency in truncate while running with -T switch at /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm line 215, <_FH> The taint violation stems from the use of the value returned by length($content) as the second argument to the truncate() function. $content is assigned from a readline() operation against a filehandle opened on the lock file. When taint mode is enabled the value returned by length($content) is tainted. The attached patch assigns the value returned by length($content) as a key in an anonymous hash in order to untaint the value.
Subject: File-NFSLock.patch
Download File-NFSLock.patch
text/x-diff 2.5k
--- /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm.orig 2009-01-03 16:46:23.000000000 -0800 +++ /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm 2009-01-03 16:48:45.000000000 -0800 @@ -209,10 +209,11 @@ } ### Save any valid locks or wipe file. - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ){ seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, length($len); close _FH; }else{ close _FH;
Sorry, my patch was broken. Fixed patch attached.
--- /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm.orig 2009-01-03 16:46:23.000000000 -0800 +++ /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm 2009-01-06 09:48:02.000000000 -0800 @@ -209,10 +209,11 @@ } ### Save any valid locks or wipe file. - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ){ seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, $len; close _FH; }else{ close _FH;
Download (untitled) / with headers
text/plain 193b
Missed another truncate call. I should probably read through this module and find any other potential use of tainted data. In the meantime, here's a patch that includes the other truncate call.
--- /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm.orig 2009-01-03 16:46:23.000000000 -0800 +++ /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm 2009-01-06 13:45:17.000000000 -0800 @@ -209,10 +209,11 @@ } ### Save any valid locks or wipe file. - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ){ seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, $len; close _FH; }else{ close _FH; @@ -411,10 +412,11 @@ } ### other shared locks exist - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ) { seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, $len; close _FH; ### only I exist
Download (untitled) / with headers
text/plain 174b
This issue seems plausible, but I'm having some trouble replicating it. Do you have any exploit code or proof of concept to demonstrate this insecure taint condition? -- Rob
Download (untitled) / with headers
text/plain 165b
I was unable to find any issues related to tainting, but I added some more taint tests to the suite in 1.25 to hopefully help expose any issues on various platforms.
I'm unable to see this issue anymore so I'm closing the ticket.
From: Terje Andersen <terje dot andersen plus cpan at gmail>
Download (untitled) / with headers
text/plain 1.3k
Hi There! I am experiencing this problem. I am using: - Scientific Linux CERN SLC release 6.6 (Red Hat Enterprise Linux 6) - Apache/2.2.15 - Perl 5.10.1 - File::NFSLock 1.28 from https://github.com/hookbot/File-NFSLock/blob/master/lib/File/NFSLock.pm How to reproduce it: 1) I have the following Apache configuration: Alias /locktest "/tmp/locktest" <Directory "/tmp/locktest"> Options ExecCGI SetHandler cgi-script </Directory> 2) /tmp/locktest/lock_important_file.pl which locks an existing file called "important_file", residing in the same folder: #!/usr/bin/perl -wT use warnings; use strict; use lib "/tmp/locktest"; use File::NFSLock; use Fcntl qw(LOCK_SH); print "Content-Type: text/html\n\n"; if (my $lock = new File::NFSLock { file => 'important_file', lock_type => LOCK_SH, }) { sleep 30; $lock->unlock(); } else { die $File::NFSLock::errstr; } 3) Open https://my-server.com/locktest/lock_important_file.pl in a new tab. 4) Close the the tab before the 30 seconds has passed, important_file.NFSLock is still there because of the unclean shutdown. 5) Open a new tab using the same URL. The error log will now contain: Insecure dependency in truncate while running with -T switch at /tmp/locktest/File/NFSLock.pm line 417, <$fh> line 2. \t(in cleanup) Insecure dependency in truncate while running with -T switch at /tmp/locktest/File/NFSLock.pm line 417, <$fh> line 2.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.