Skip Menu |
 
rt.cpan.org will be shut down on March 1st, 2021.

This queue is for tickets about the Net-SNMP CPAN distribution.

Report information
The Basics
Id: 82384
Status: stalled
Priority: 0/
Queue: Net-SNMP

People
Owner: Nobody in particular
Requestors: RCAPUTO [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: taint failure in Net::SNMP::Security::USM
Download (untitled) / with headers
text/plain 790b
key must be an untainted string scalar at /Library/Perl/5.10.0/Net/SNMP/Security/USM.pm line 1497. One must attempt an AES128 session with a SNMP v3 host, as in this (with the particulars properly configured): #!perl -T use strict; use warnings; use Data::Dumper; use Net::SNMP qw(oid_lex_sort oid_base_match :snmp); my ($session, $error) = Net::SNMP->session( -authpassword => 'auth', -privpassword => 'priv', -username => 'user', -authprotocol => 'MD5', -retries => '2', -version => '3', -hostname => '10.0.0.2', -privprotocol => 'AES128', -nonblocking => '1', -port => '161', -timeout => '3' ); my $list = $session->var_bind_list(); snmp_dispatcher(); if ($session->error()) { print $session->error() . "\n"; } else { print "OK\n"; }
Download (untitled) / with headers
text/plain 254b
The error is actually silent until I put a "warh $@" just after the block eval{} in Net::SNMP::Dispatcher::_callback_execute(). With the warning, I get: key must be an untainted string scalar at /Library/Perl/5.10.0/Net/SNMP/Security/USM.pm line 1497.
Download (untitled) / with headers
text/plain 915b
It looks like throughout Net::SNMP, _priv_key is only assigned in a few places in one file, Net::SNMP::Security::USM. All signs point to _password_localize() being the culprit. Every other assignment doesn't seem to introduce taint. Most of _password_localize() looks benign, and then there's the last line: return $digest->add($d . $this->{_engine_id} . $d)->digest(); It looks like the _engine_id member can become tainted from three sources. 1. A tainted value can be passed into the constructor. I'm okay with delegating untainting to the caller. We're not passing in anything, however. 2. A default $ENGINE_ID and _engine_id member are set in USM.pm at line 688. The data source is via hostname() and gethostbyname(), which are tainted. 3. The _engine_id member can also be set by _engine_id_discovery(), which gets the engine ID from a message. That's probably tainted. I hope this helps.
Download (untitled) / with headers
text/plain 215b
One can also see the tainting problem by enabling -debug: error: [664] Net::SNMP::Dispatcher::_callback_execute(): key must be an untainted string scalar at /Library/Perl/5.10.0/Net/SNMP/Security/USM.pm line 1497.
Download (untitled) / with headers
text/plain 103b
This bug is blocking a product release at work. Is there anything I can do to expedite its resolution?
Download (untitled) / with headers
text/plain 212b
Marking as stalled, if RT will let me. It's been about 18 months since I reported the problem. Would a patch help? I have a patch at work. We use it to fix this issue whenever we set up another build machine.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.