develooper Front page | perl.perl5.porters | Postings from May 2013

Re: Safe 2.35 localizing %SIG

Thread Previous | Thread Next
From:
Rafael Garcia-Suarez
Date:
May 22, 2013 09:48
Subject:
Re: Safe 2.35 localizing %SIG
Message ID:
CAMoYMM8iSGG-Aask1rPsBprvyN+yD3mmxZUv8Q8U=BtsCRQTuQ@mail.gmail.com
On 22 May 2013 01:15, David Cantrell <david@cantrell.org.uk> wrote:
> I've been bitten by the localizing of %SIG in the latest Safe.pm.  I'm
> using a SIG ALRM to have execution of the Safe compartment time out:
>   https://metacpan.org/source/DCANTRELL/CPAN-ParseDistribution-1.4/lib/CPAN/ParseDistribution.pm#L186
>
> and this no longer works.  I can see why locally undefing %SIG is probably a
> good idea, but it would be Really Good if there was a way of controlling
> this so that I could specify that I want to be able to handle particular
> signals.

I have a working exploit against earlier safes that uses SIGCHLD to
execute untrusted code, but it can be adapted to use any other signal.
I can send it to you if you're interested.

> Other things: the documentation still warns about the risks of signals,
> without making clear what's going to happen; localizing $SIG and @SIG as
> well as %SIG is probably not what was intended; and finally, can anyone
> think of a clean, simple alternative that I can use for timing out a Safe
> compartment?

I localized *SIG to remove all magic from it. Localizing %SIG is not
enough (it does not fix the vulnerability).

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About