Skip Menu |
 

This queue is for tickets about the Crypt-RSA CPAN distribution.

Report information
The Basics
Id: 83303
Status: open
Priority: 0/
Queue: Crypt-RSA

People
Owner: Nobody in particular
Requestors: mhasch-cpanbugs [...] cozap.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 1.99
Fixed in: (no value)

Attachments


Subject: [PATCH] insecure library usage in Crypt::RSA with FindBin
Download (untitled) / with headers
text/plain 537b
As of version 1.99, Crypt-RSA installs two library modules with insecure ``use lib'' statements. Effectively, some directory paths relative to the location of the calling script are included in @INC before other modules are loaded. This can make Crypt::RSA and other modules run code located near the calling script in place of code installed with the original libraries. This is hardly ever desirable. Using Crypt::RSA should not have this kind of side effect on @INC. I have added a patch fixing and testing this issue. -Martin
Subject: Crypt-RSA-1.99-MHASCH-01.patch
diff -Nrup Crypt-RSA-1.99.orig/lib/Crypt/RSA/Key/Private/SSH.pm Crypt-RSA-1.99/lib/Crypt/RSA/Key/Private/SSH.pm --- Crypt-RSA-1.99.orig/lib/Crypt/RSA/Key/Private/SSH.pm 2009-06-07 02:08:48.000000000 +0200 +++ Crypt-RSA-1.99/lib/Crypt/RSA/Key/Private/SSH.pm 2013-02-13 16:28:49.000000000 +0100 @@ -34,8 +34,6 @@ sub put_mp_int { package Crypt::RSA::Key::Private::SSH; -use FindBin qw($Bin); -use lib "$Bin/../../../../../lib"; use strict; use constant PRIVKEY_ID => "SSH PRIVATE KEY FILE FORMAT 1.1\n"; use vars qw( %CIPHERS ); diff -Nrup Crypt-RSA-1.99.orig/lib/Crypt/RSA.pm Crypt-RSA-1.99/lib/Crypt/RSA.pm --- Crypt-RSA-1.99.orig/lib/Crypt/RSA.pm 2009-06-07 02:16:43.000000000 +0200 +++ Crypt-RSA-1.99/lib/Crypt/RSA.pm 2013-02-13 16:28:21.000000000 +0100 @@ -10,8 +10,6 @@ ## $Id: RSA.pm,v 1.48 2001/09/25 12:44:55 vipul Exp $ package Crypt::RSA; -use FindBin qw($Bin); -use lib "$Bin/../../lib"; use strict; use base 'Class::Loader'; use base 'Crypt::RSA::Errorhandler'; diff -Nrup Crypt-RSA-1.99.orig/t/16-inc-safe.t Crypt-RSA-1.99/t/16-inc-safe.t --- Crypt-RSA-1.99.orig/t/16-inc-safe.t 1970-01-01 01:00:00.000000000 +0100 +++ Crypt-RSA-1.99/t/16-inc-safe.t 2013-02-13 16:39:18.000000000 +0100 @@ -0,0 +1,23 @@ +# Check if @INC is manipulated by certain library modules. + +# Author: Martin Becker, February 2013. +# This code is put into public domain. You can do with it what you like. + +BEGIN { + print "1..1\n"; + my @old_inc = @INC; + require Crypt::RSA; + require Crypt::RSA::Key::Private::SSH; + my $success = @old_inc == @INC; + if (!$success) { + print "# BEFORE:\n"; + foreach my $i (0 .. $#old_inc) { + print '# $INC[', $i, '] was ', $old_inc[$i], "\n"; + } + print "# AFTER:\n"; + foreach my $i (0 .. $#INC) { + print '# $INC[', $i, '] is ', $INC[$i], "\n"; + } + } + print $success? (): 'not ', "ok 1 - size of \@INC unchanged\n"; +}
Download (untitled) / with headers
text/plain 662b
On Wed Feb 13 11:49:22 2013, MHASCH wrote: Show quoted text
> As of version 1.99, Crypt-RSA installs two library modules > with insecure ``use lib'' statements. Effectively, some directory > paths relative to the location of the calling script are included in > @INC before other modules are loaded. This can make Crypt::RSA and > other modules run code located near the calling script in place of > code installed with the original libraries. This is hardly ever > desirable. Using Crypt::RSA should not have this kind of side effect > on @INC. > > I have added a patch fixing and testing this issue. > > -Martin >
This is fixed in Alt::Crypt::RSA::BigInt, by the way.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.