New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
croak: CWE-134: Use of Externally-Controlled Format String #16108
Comments
From @paliHi! In perlblead there are at lest 3 places where arbitrary string One is in eval_pv() implementation from cpan/Devel-PPPort/parts/inc/call Probably there are also other places, but I have not looked deeply. In all three places is printf-style format argument taken from ERRSV, $@ Malicious remote system via specially crafted error message then can |
From @tonycozOn Thu, 10 Aug 2017 05:14:10 -0700, pali@cpan.org wrote:
Found this one. I believe this should be reported upstream.
I couldn't find this. Socket.xs defines a bad croak_sv() macro but doesn't use it. Can you point me at the line? In any case, it should be reported upstream.
Found this one. This in itself isn't a security issue, but it should be fixed.
If you find any others, please let us know. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @paliHi! On Wednesday 16 August 2017 17:41:36 Tony Cook via RT wrote:
I already did it few months ago, but nothing happened. Report was fully
Right, it is the wrong croak_sv(). Even it is not used, it is a problem
Ok, I will try, but after Devel-PPPort I'm sceptic about reporting it.
As this provides basically fully working example program which is going So it should be fixed and possible in some announcement should be
Probably the best would be if you define croak_sv, warn_sv and other |
From @paliOn Thursday 17 August 2017 09:19:09 pali@cpan.org wrote:
PING! What is state of this issue? When it will be fixed in perl itself? |
From @tonycozOn Wed, 11 Oct 2017 05:39:01 -0700, pali@cpan.org wrote:
Is the attached something like what you're looking for as a change? Tony |
From @tonycoz0001-perl-131878-don-t-call-croak-with-a-potential-format.patchFrom 323c22704dbc842cb967d875e41090b3606064b3 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 12 Oct 2017 14:51:23 +1100
Subject: (perl #131878) don't call croak() with a potential format string
---
pod/perldelta.pod | 12 ++++++++++--
pod/perlembed.pod | 2 +-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/pod/perldelta.pod b/pod/perldelta.pod
index c0beb06..fbab8ef 100644
--- a/pod/perldelta.pod
+++ b/pod/perldelta.pod
@@ -165,13 +165,21 @@ section.
Additionally, the following selected changes have been made:
-=head3 L<XXX>
+=head3 L<perlembed>
=over 4
=item *
-XXX Description of the change here
+An example in L<perlembed> used the string value of C<ERRSV> as a
+format string when calling croak(). If that string contains format
+codes such as C<%s> this could crash the program.
+
+This has been changed to a call to croak_sv().
+
+An alternative could have been to supply a trivial format string:
+
+ croak("%s", SvPV_nolen(ERRSV));
=back
diff --git a/pod/perlembed.pod b/pod/perlembed.pod
index 70f8e0d..91759a3 100644
--- a/pod/perlembed.pod
+++ b/pod/perlembed.pod
@@ -429,7 +429,7 @@ been wrapped here):
PUTBACK;
if (croak_on_error && SvTRUE(ERRSV))
- croak(SvPVx_nolen(ERRSV));
+ croak_sv(ERRSV);
return retval;
}
--
2.1.4
|
From @paliOn Wednesday 11 October 2017 20:52:15 Tony Cook via RT wrote:
Yes. Removing all vulnerable chunks from the both documentation and perl
Or in case ERRSV needs to be passed into croak, then croak(NULL) can be
|
From @tonycozOn Thu, 12 Oct 2017 00:58:18 -0700, pali@cpan.org wrote:
I've applied my patch with an added mention of croak(NULL) in perldelta as 8e14f28. I've moved this ticket to the public queue. Tony |
@tonycoz - Status changed from 'open' to 'pending release' |
From @paliOn Thursday 17 August 2017 09:19:09 pali@cpan.org wrote:
Devel::PPPort was moved from cpan/ to dist/ and this problem was fixed in perl commit: |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been Perl 5.28.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#131878 (status was 'resolved')
Searchable as RT131878$
The text was updated successfully, but these errors were encountered: