develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Dennis Kaarsemaker
Date:
October 1, 2012 18:32
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
1349141545.11845.27.camel@localhost
On ma, 2012-10-01 at 14:43 -0500, Reini Urban wrote:

> Wrong, the security folks failed to understand the issues. And p5p
> ditto. There is no remaining burden of proof on me. 

There still is. Log excerpts from #php this evening, hopefully to clear
up some points. It explained the issue to me:

<rurban> \0 are now allowed in names in the middle
<rurban> hek's cannot be tainted. the vm needs to catch \0 in the middle.
<rurban> package names are stored in HEKs thus not taintable.
<rurban> and it's a completety new attack vector
<TonyC> rurban: why are NULs special?  it's possible to write shellcode without NULs
<rurban> the problem with \0 is that it goes undetected. because perl does not know about it. require just does not look past the \0, neither any other syscall.
<sorear> rurban: why does it matter whether a place to hide shellcode is taintable?  No processor I've ever seen checks Perl's taint bits before jumping to an address
<Seveas> rurban, so all this \0 malarkey does is giving you a place to hide things? not a way of using or executing it?
<Seveas> I still fail to see the security issue
<rurban> Seveas: yes

So, while it could be argued that allowing \0's in (package) names is
wrong, there is no proof of a security issue. Only of the absence
thereof. And a buch of insults, which I didn't include.

-- 
Dennis Kaarsemaker, Systems Architect
Booking.com
Herengracht 597, 1017 CE Amsterdam
Tel external +31 (0) 20 715 3409
Tel internal (7207) 3409


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About