Hello team,
The issues related to Win32API::File modules as below:
Win32API::File
Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266)
CWE: 266
API: Missing Setuid
Caller:
src\perl32\lib\Win32API\File.pm at line 321 call open( $fh,
$pref."&=".(0+$fd)
src\perl32\lib\Win32API\File.pm at line 571 call >open(@_)
src\perl64\lib\Win32API\File.pm at line 321 call open( $fh,
$pref."&=".(0+$fd)
src\perl64\lib\Win32API\File.pm at line 571 call >open(@_)
src\perl32\lib\Win32API\File.pm at line 678 call >WRITE($buf,
length($buf)
src\perl64\lib\Win32API\File.pm at line 678 call >WRITE($buf,
length($buf)
Ungrouped File Open Mode Is User Modifiable (AccessControl.Bypass,
CWE-288)
CWE: 288
API: File Open Mode Is User Modifiable
Caller:
src\perl32\lib\Win32API\File.pm at line 321 call open( $fh,
$pref."&=".(0+$fd)
src\perl32\lib\Win32API\File.pm at line 571 call >open(@_)
src\perl64\lib\Win32API\File.pm at line 321 call open( $fh,
$pref."&=".(0+$fd)
src\perl64\lib\Win32API\File.pm at line 571 call >open(@_)
I recieved an email from Net::SSLeay modules bug team, it seems those
issues can be identified as false positives in the code analyser.
These appear to be false positives in the code analyser you're using: the
use of select(), write() and close() in Net::SSLeay::Handle doesn't
present a privilege escalation risk. It should be safe to ignore these
warnings.
Is it same for Win32API::File modules, can we identify them as false
positives ? Thanks in advance !
Best Regards,
Jun Hua Bie
Senior IT Specialist
Global Technical Service
IBM Service
Mobile: +86-138-2370-2390
mailto:biejunh@cn.ibm.com
From: "Martin McGrath via RT" <bug-Win32API-File@rt.cpan.org>
To: biejunh@cn.ibm.com
Date: 10/12/2019 06:09 PM
Subject: [EXTERNAL] [rt.cpan.org #130693] security vulnerabilities
discovered on Win32API::File modules
<URL:
https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D130693&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=JToT6u8s5fQWWH6hecx_zNQOL8eEm-TkOprgQd7KBm4&s=kyeiGZfrUPqFSLBK4CCtbvkkdKdeA-pf35TJ-fqZkBI&e=
Show quoted text >
On Sat Oct 12 08:30:29 2019, biejunh@cn.ibm.com wrote:
Show quoted text> Hello Win32API-File bug team,
>
> We are using Strawberry Perl 5.30.0.1 and some Perl modules on our
> application, according to company's security policy, we ran static code
Show quoted text> scanning for these open source code, but some security vulnerabilities
are
Show quoted text> discovered during scanning.
> Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266)
> CWE: 266
> API: Missing Setuid
> Caller:
> src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close
> ($_)
> src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write
> (triggered when nothing was read I<OR> written)
> src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read
> (triggered when nothing was read)
> src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read
(and
Show quoted text> buffer)
> src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read
> ($self->{tls})
> src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close
> ($_)
> src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close
> ($_)
> src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write
> (triggered when nothing was read I<OR> written)
> src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read
> (triggered when nothing was read)
> src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write
> ($self->{tls}, $self->{_tls_wbuf})
> src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read
(and
Show quoted text> buffer)
> src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read
> ($self->{tls})
> src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close
> ($_)
> src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close
> ($_)
> src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close
> ($_)
> src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write
> ($self->{tls}, $self->{_tls_wbuf})
>
> For the details, please refer to following reporting:
>
>
>
> Do you have any solution to fix these security issues ? It is very
> urgent for us to fix these issues for our project, could you take it as
Show quoted text> high priority ?
> Thanks in advance !
>
> Best Regards,
> Jun Hua Bie
> Senior IT Specialist
> Global Technical Service
> IBM Service
> Mobile: +86-138-2370-2390
> mailto:biejunh@cn.ibm.com
>
This is the Win32API::File queue, and you've reported issues with
Anyevent.
Also note that the Anyevent author doesn't use rt as a bug tracker:
https://urldefense.proofpoint.com/v2/url?u=https-3A__metacpan.org_pod_AnyEvent-23SUPPORT&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=JToT6u8s5fQWWH6hecx_zNQOL8eEm-TkOprgQd7KBm4&s=TxCrtqvjFkq8K12MN9o8WIwKemCJsYQFgTDv_ihoA6Y&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D124723-23txn-2D1775673&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=JToT6u8s5fQWWH6hecx_zNQOL8eEm-TkOprgQd7KBm4&s=SzSSlaEUNo3lLzufUB_L5eSeYhHabSxB3ff9vmSVE6g&e=
Context:
https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D130688&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=JToT6u8s5fQWWH6hecx_zNQOL8eEm-TkOprgQd7KBm4&s=bwDjB4VREKMU5eEoxadaoFHjFGYH-ivZJofn6pxYVj4&e=
