search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.99k stars 559 forks source link

Security issue in Pod::Perldoc #13368

Closed p5pRT closed 7 years ago

p5pRT commented 11 years ago

Migrated from rt.perl.org#120357 (status was 'resolved')

Searchable as RT120357$

p5pRT commented 11 years ago

From @Leont

On Thu\, Oct 24\, 2013 at 5​:31 PM\, Leon Timmermans \fawaka@​gmail\.com wrote​:

Hi all\,

Perldoc may load File​::Temp from lib/ iff Makefile.PL or Build.PL exist in the current directory\, and if the argument is an existing module. If the argument is an URL\, it can be done using lib/HTTP/Tiny.pm too.

Proof​:

touch Makefile.PL mkdir -p lib/File echo 'die "Exploited!"' > lib/File/Temp.pm perldoc Scalar​::Util

This is a serious bug\, and user-assisted exploits are trivial to write.

Actually\, it turns out that any of these module would do the trick​:

File​::Temp Cwd File​::Path IO​::Seekable IO​::Handle Symbol SelectSaver IO Errno Scalar​::Util List​::Util Carp​::Heavy Exporter​::Heavy IPC​::Open3

Leon

p5pRT commented 11 years ago

From @kentfredric

On 25 October 2013 04​:31\, Leon Timmermans \fawaka@​gmail\.com wrote​:

This is a serious bug\, and user-assisted exploits are trivial to write.

Not to mention\, it would appear to be an entirely unrequired security hole.

It occurs because the code in question modifies @​INC blindly to include lib/ \, blib/ and '.' \, without user interaction.

However\, this change is not required to load documentation from the current directory\, as the documentation is *NOT* loaded using *require* \, and @​INC is later simply inserted into the search routine.

Attached is a patch which removes modification of @​INC\, and retains the behaviour with regard to finding documentation\, which eliminates this specific security hole.

-- Kent

p5pRT commented 11 years ago

From @kentfredric

perldoc.patch ```diff diff --git a/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm b/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm index 9cdee80..8519680 100644 --- a/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm +++ b/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm @@ -441,6 +441,7 @@ sub init { $self->{'pagers' } = [@Pagers] unless exists $self->{'pagers'}; $self->{'bindir' } = $Bindir unless exists $self->{'bindir'}; $self->{'pod2man'} = $Pod2man unless exists $self->{'pod2man'}; + $self->{'search_path'} = [ ] unless exists $self->{'search_path'}; push @{ $self->{'formatter_switches'} = [] }, ( # Yeah, we could use a hashref, but maybe there's some class where options @@ -529,7 +530,7 @@ sub process { $self->find_good_formatter_class(); $self->formatter_sanity_check(); - $self->maybe_diddle_INC(); + $self->maybe_extend_searchpath(); # for when we're apparently in a module or extension directory my @found = $self->grand_search_init(\@pages); @@ -858,7 +859,7 @@ sub grand_search_init { # We must look both in @INC for library modules and in $bindir # for executables, like h2xs or perldoc itself. - push @searchdirs, ($self->{'bindir'}, @INC); + push @searchdirs, ($self->{'bindir'}, @{$self->{search_path}}, @INC); unless ($self->opt_m) { if ($self->is_vms) { my($i,$trn); @@ -1648,19 +1649,18 @@ sub containspod { #.......................................................................... -sub maybe_diddle_INC { +sub maybe_extend_searchpath { my $self = shift; # Does this look like a module or extension directory? if (-f "Makefile.PL" || -f "Build.PL") { - # Add "." and "lib" to @INC (if they exist) - eval q{ use lib qw(. lib); 1; } or $self->die; + push @{$self->{search_path} }, '.','lib'; # don't add if superuser if ($< && $> && -d "blib") { # don't be looking too hard now! - eval q{ use blib; 1 }; + push @{ $self->{search_path} }, 'blib'; $self->warn( $@ ) if $@ && $self->opt_D; } } ```
p5pRT commented 11 years ago

From @Leont

Hi all\,

Perldoc may load File​::Temp from lib/ iff Makefile.PL or Build.PL exist in the current directory\, and if the argument is an existing module. If the argument is an URL\, it can be done using lib/HTTP/Tiny.pm too.

Proof​:

touch Makefile.PL mkdir -p lib/File echo 'die "Exploited!"' > lib/File/Temp.pm perldoc Scalar​::Util

This is a serious bug\, and user-assisted exploits are trivial to write.

Leon

p5pRT commented 11 years ago

From @tonycoz

On Thu Oct 24 13​:14​:38 2013\, LeonT wrote​:

Hi all\,

Perldoc may load File​::Temp from lib/ iff Makefile.PL or Build.PL exist in the current directory\, and if the argument is an existing module. If the argument is an URL\, it can be done using lib/HTTP/Tiny.pm too.

Proof​:

touch Makefile.PL mkdir -p lib/File echo 'die "Exploited!"' > lib/File/Temp.pm perldoc Scalar​::Util

This is a serious bug\, and user-assisted exploits are trivial to write.

This thread ended up as three tickets\, which I've merged.

Hopefully forwarding to the security list is fixed too\, which this reply should test.

Tony

p5pRT commented 11 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 11 years ago

From @iabyn

On Thu\, Oct 24\, 2013 at 5​:31 PM\, Leon Timmermans \fawaka@&#8203;gmail\.com wrote​:

Perldoc may load File​::Temp [and several others] from lib/ iff Makefile.PL or Build.PL exist in the current directory

Proof​:

$ touch Makefile.PL $ mkdir -p lib/File $ echo 'die "Exploited!"' > lib/File/Temp.pm $ perldoc Scalar​::Util Exploited! at lib/File/Temp.pm line 1.

This is a serious bug\, and user-assisted exploits are trivial to write.

This ticket and it its follow-ups never made it to the perl5-security-report list\, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package? i.e is there anything the porters need to do right now apart from pull in a new patch or release from CPAN when it becomes available? Then we need to decide whether to backport it\, make maint security releases\, CVEs etc.

Discuss...

-- The warp engines start playing up a bit\, but seem to sort themselves out after a while without any intervention from boy genius Wesley Crusher.   -- Things That Never Happen in "Star Trek" #17

p5pRT commented 11 years ago

From @iabyn

On Wed\, Oct 30\, 2013 at 11​:10​:19AM +0000\, Dave Mitchell wrote​:

This ticket and it its follow-ups never made it to the perl5-security-report list\, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package? i.e is there anything the porters need to do right now apart from pull in a new patch or release from CPAN when it becomes available? Then we need to decide whether to backport it\, make maint security releases\, CVEs etc.

Discuss...

This apparently never made it to the list either. Resending as a test.

-- "Strange women lying in ponds distributing swords is no basis for a system of government. Supreme executive power derives from a mandate from the masses\, not from some farcical aquatic ceremony."   -- Dennis\, "Monty Python and the Holy Grail"

p5pRT commented 11 years ago

From @Leont

On Wed\, Oct 30\, 2013 at 12​:10 PM\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

This ticket and it its follow-ups never made it to the perl5-security-report list\, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package? i.e is there anything the porters need to do right now apart from pull in a new patch or release from CPAN when it becomes available? Then we need to decide whether to backport it\, make maint security releases\, CVEs etc.

Discuss...

I think it should be primarily handled by the maintainer\, I haven't heard from him at all though.

I do think it ought to be backported\, but it probably doesn't warrant an immediate maintenance security release.

I guess it needs a CVE (that bar seems to be set pretty low nowadays)\, I'm going to look into that.

Leon

p5pRT commented 11 years ago

From @mrallen1

First\, I am sorry I was dark - I had a problem in my email filtering rules which didn't surface this email thread until Leon pinged me on Twitter.  This filter problem should be resolved now.

Second\, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine)\, I will release 3.21.

Thank you for your help in resolving this problem.

Mark Allen

On Wednesday\, November 6\, 2013 7​:15 AM\, Leon Timmermans \fawaka@&#8203;gmail\.com wrote​:

On Wed\, Oct 30\, 2013 at 12​:10 PM\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

This ticket and it its follow-ups never made it to the

perl5-security-report list\, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package? i.e is there anything the porters need to do right now apart from pull in a new patch or release from CPAN when it becomes available? Then we need to decide whether to backport it\, make maint security releases\, CVEs etc.

Discuss...

I think it should be primarily handled by the maintainer\, I haven't heard from him at all though.

I do think it ought to be backported\, but it probably doesn't warrant an immediate maintenance security release.

I guess it needs a CVE (that bar seems to be set pretty low nowadays)\, I'm going to look into that.

Leon

p5pRT commented 10 years ago

From @iabyn

On Tue\, Nov 19\, 2013 at 09​:21​:37AM -0800\, Mark Allen wrote​:

Second\, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine)\, I will release 3.21.

I can confirm it fixes the issue.

-- The Enterprise's efficient long-range scanners detect a temporal vortex distortion in good time\, allowing it to be safely avoided via a minor course correction.   -- Things That Never Happen in "Star Trek" #21

p5pRT commented 10 years ago

From @mrallen1

I will prepare a CPAN release in a few days including this patch and a couple others that have come in.

Thanks.

On Monday\, December 30\, 2013 5​:45 AM\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

On Tue\, Nov 19\, 2013 at 09​:21​:37AM -0800\, Mark Allen wrote​:

Second\, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine)\, I will release 3.21.

I can confirm it fixes the issue.

-- The Enterprise's efficient long-range scanners detect a temporal vortex distortion in good time\, allowing it to be safely avoided via a minor course correction.     -- Things That Never Happen in "Star Trek" #21

p5pRT commented 10 years ago

From @mrallen1

Just to close the loop on this - I released Pod-Perldoc 3.21 to CPAN a couple days ago.  This is a version I propose be included in blead.  I have several other RT tickets to close on this distribution and hope to have them done by the end of January.

Thanks.

On Friday\, January 3\, 2014 10​:15 AM\, Mark Allen \mrallen1@&#8203;yahoo\.com wrote​:

I will prepare a CPAN release in a few days including this patch and a couple others that have come in.

Thanks.

On Monday\, December 30\, 2013 5​:45 AM\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

On Tue\, Nov 19\, 2013 at 09​:21​:37AM -0800\, Mark Allen wrote​:

Second\, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine)\, I will release 3.21.

I can confirm it fixes the issue.

-- The Enterprise's efficient long-range scanners detect a temporal vortex distortion in good time\, allowing it to be safely avoided via a minor course correction.     -- Things That Never Happen in "Star Trek" #21

p5pRT commented 10 years ago

From @iabyn

On Wed\, Jan 08\, 2014 at 09​:55​:36AM -0800\, Mark Allen wrote​:

Just to close the loop on this - I released Pod-Perldoc 3.21 to CPAN a couple days ago.  This is a version I propose be included in blead.  I have several other RT tickets to close on this distribution and hope to have them done by the end of January.

This version was pulled into blead on monday\, so the loop is closed\, thanks!

-- I thought I was wrong once\, but I was mistaken.

p5pRT commented 10 years ago

From @kentfredric

On 9 January 2014 07​:17\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

This version was pulled into blead on monday\, so the loop is closed\, thanks!

Are security fixes usually candidates for stable releases? ie​: should this be in a 5.18* series?

I'm just wondering when we're supposed to advise security people of a formal security risk they want to update to avoid. ( aka​: CVE's and shit )

-- Kent

p5pRT commented 9 years ago

From @Leont

On Mon Jan 13 16​:31​:11 2014\, kentfredric@​gmail.com wrote​:

On 9 January 2014 07​:17\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

This version was pulled into blead on monday\, so the loop is closed\, thanks!

Are security fixes usually candidates for stable releases? ie​: should this be in a 5.18* series?

I'm just wondering when we're supposed to advise security people of a formal security risk they want to update to avoid. ( aka​: CVE's and shit )

And the crickets had the field for a year. It seems this got reported for a second time as #123647.

I suspect a CVE is still warranted. Should I do that? The whole process is rather fuzzy to me.

p5pRT commented 9 years ago

From @tonycoz

On Wed\, Jan 28\, 2015 at 10​:49​:54AM -0800\, Leon Timmermans via RT wrote​:

On Mon Jan 13 16​:31​:11 2014\, kentfredric@​gmail.com wrote​:

On 9 January 2014 07​:17\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

This version was pulled into blead on monday\, so the loop is closed\, thanks!

Are security fixes usually candidates for stable releases? ie​: should this be in a 5.18* series?

I'm just wondering when we're supposed to advise security people of a formal security risk they want to update to avoid. ( aka​: CVE's and shit )

And the crickets had the field for a year. It seems this got reported for a second time as #123647.

I suspect a CVE is still warranted. Should I do that? The whole process is rather fuzzy to me.

If the issue isn't public yet\, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list\, 2 week embargo process)

- cve-assign@​mitre.org

I've used the last before\, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

Tony

p5pRT commented 9 years ago

From @kentfredric

On 29 January 2015 at 11​:46\, Tony Cook via RT \< perl5-security-report@​perl.org> wrote​:

If the issue isn't public yet\, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list\, 2 week embargo process)

- cve-assign@​mitre.org

I've used the last before\, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

And either do the same here https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=Vulnerabilities

Or once you have draft text for advisory notice let me know and I'll copy-paste it in or something.

-- Kent

*KENTNL* - https://metacpan.org/author/KENTNL

p5pRT commented 7 years ago

From @iabyn

On Thu\, Jan 29\, 2015 at 12​:44​:30PM +1300\, Kent Fredric wrote​:

On 29 January 2015 at 11​:46\, Tony Cook via RT \< perl5-security-report@​perl.org> wrote​:

If the issue isn't public yet\, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list\, 2 week embargo process)

- cve-assign@​mitre.org

I've used the last before\, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

And either do the same here https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=Vulnerabilities

Or once you have draft text for advisory notice let me know and I'll copy-paste it in or something.

This security ticket is still open and un-replied-to for 2+ years. The fix is in the 5.20.0 release and onwards\, and I think we've missed the boat by now for any advisory-type action\, so I suggest this ticket should be closed and moved to the public queue.

-- The Enterprise is involved in a bizarre time-warp experience which is in some way unconnected with the Late 20th Century.   -- Things That Never Happen in "Star Trek" #14

p5pRT commented 7 years ago

From @xsawyerx

Makes sense.

On Thu\, Feb 2\, 2017 at 1​:29 PM\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

On Thu\, Jan 29\, 2015 at 12​:44​:30PM +1300\, Kent Fredric wrote​:

On 29 January 2015 at 11​:46\, Tony Cook via RT \< perl5-security-report@​perl.org> wrote​:

If the issue isn't public yet\, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list\, 2 week embargo process)

- cve-assign@​mitre.org

I've used the last before\, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

And either do the same here https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=Vulnerabilities

Or once you have draft text for advisory notice let me know and I'll copy-paste it in or something.

This security ticket is still open and un-replied-to for 2+ years. The fix is in the 5.20.0 release and onwards\, and I think we've missed the boat by now for any advisory-type action\, so I suggest this ticket should be closed and moved to the public queue.

-- The Enterprise is involved in a bizarre time-warp experience which is in some way unconnected with the Late 20th Century. -- Things That Never Happen in "Star Trek" #14

p5pRT commented 7 years ago

@iabyn - Status changed from 'open' to 'resolved'