Skip Menu |

This queue is for tickets about the File-NFSLock CPAN distribution.

Report information
The Basics
Id: 42122
Status: open
Worked: 1 hour (60 min)
Priority: 0/
Queue: File-NFSLock
People
Owner: Nobody in particular
Requestors: converter42 [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 1.20
Fixed in:
  • 1.25
  • 1.26

History Show all quoted text
  Sat Jan 03 20:49:45 2009 converter [...] cpan.org - Ticket created
Subject: Code for removal of stale locks causes exception in taint mode
Insecure dependency in truncate while running with -T switch at /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm line 215, <_FH> The taint violation stems from the use of the value returned by length($content) as the second argument to the truncate() function. $content is assigned from a readline() operation against a filehandle opened on the lock file. When taint mode is enabled the value returned by length($content) is tainted. The attached patch assigns the value returned by length($content) as a key in an anonymous hash in order to untaint the value.
Subject: File-NFSLock.patch
--- /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm.orig 2009-01-03 16:46:23.000000000 -0800 +++ /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm 2009-01-03 16:48:45.000000000 -0800 @@ -209,10 +209,11 @@ } ### Save any valid locks or wipe file. - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ){ seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, length($len); close _FH; }else{ close _FH;
  Tue Jan 06 12:53:32 2009 converter [...] cpan.org - Correspondence added
Sorry, my patch was broken. Fixed patch attached.
--- /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm.orig 2009-01-03 16:46:23.000000000 -0800 +++ /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm 2009-01-06 09:48:02.000000000 -0800 @@ -209,10 +209,11 @@ } ### Save any valid locks or wipe file. - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ){ seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, $len; close _FH; }else{ close _FH;
  Tue Jan 06 12:53:33 2009 The RT System itself - Status changed from 'new' to 'open'
  Tue Jan 06 16:49:52 2009 converter [...] cpan.org - Correspondence added
Missed another truncate call. I should probably read through this module and find any other potential use of tainted data. In the meantime, here's a patch that includes the other truncate call.
--- /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm.orig 2009-01-03 16:46:23.000000000 -0800 +++ /usr/lib/perl5/vendor_perl/5.8.4/File/NFSLock.pm 2009-01-06 13:45:17.000000000 -0800 @@ -209,10 +209,11 @@ } ### Save any valid locks or wipe file. - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ){ seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, $len; close _FH; }else{ close _FH; @@ -411,10 +412,11 @@ } ### other shared locks exist - if( length($content) ){ + my ($len) = keys %{+{length($content)}}; # untaint length() return value + if( $len ) { seek _FH, 0, 0; print _FH $content; - truncate _FH, length($content); + truncate _FH, $len; close _FH; ### only I exist
  Mon Jul 28 14:13:50 2014 bbb [...] cpan.org - Correspondence added
This issue seems plausible, but I'm having some trouble replicating it. Do you have any exploit code or proof of concept to demonstrate this insecure taint condition? -- Rob
  Fri Nov 07 15:18:47 2014 bbb [...] cpan.org - Correspondence added
I was unable to find any issues related to tainting, but I added some more taint tests to the suite in 1.25 to hopefully help expose any issues on various platforms.
  Mon Nov 10 10:32:11 2014 bbb [...] cpan.org - Correspondence added 60 min
I'm unable to see this issue anymore so I'm closing the ticket.
  Mon Nov 10 10:32:13 2014 bbb [...] cpan.org - Status changed from 'open' to 'resolved'
  Mon Nov 10 10:32:13 2014 bbb [...] cpan.org - Fixed in 1.25 added
  Mon Nov 10 10:32:13 2014 bbb [...] cpan.org - Fixed in 1.26 added
  Thu Jan 15 10:48:20 2015 https://www.google.com/accounts/o8/id?id=AItOawly9UI7R4IfQeeiMbxExg7tEgy6YnnPVFQ - Status changed from 'resolved' to 'open'
  Thu Jan 15 11:00:14 2015 https://www.google.com/accounts/o8/id?id=AItOawly9UI7R4IfQeeiMbxExg7tEgy6YnnPVFQ - Correspondence added
From: Terje Andersen <terje dot andersen plus cpan at gmail>
Hi There! I am experiencing this problem. I am using: - Scientific Linux CERN SLC release 6.6 (Red Hat Enterprise Linux 6) - Apache/2.2.15 - Perl 5.10.1 - File::NFSLock 1.28 from https://github.com/hookbot/File-NFSLock/blob/master/lib/File/NFSLock.pm How to reproduce it: 1) I have the following Apache configuration: Alias /locktest "/tmp/locktest" <Directory "/tmp/locktest"> Options ExecCGI SetHandler cgi-script </Directory> 2) /tmp/locktest/lock_important_file.pl which locks an existing file called "important_file", residing in the same folder: #!/usr/bin/perl -wT use warnings; use strict; use lib "/tmp/locktest"; use File::NFSLock; use Fcntl qw(LOCK_SH); print "Content-Type: text/html\n\n"; if (my $lock = new File::NFSLock { file => 'important_file', lock_type => LOCK_SH, }) { sleep 30; $lock->unlock(); } else { die $File::NFSLock::errstr; } 3) Open https://my-server.com/locktest/lock_important_file.pl in a new tab. 4) Close the the tab before the 30 seconds has passed, important_file.NFSLock is still there because of the unclean shutdown. 5) Open a new tab using the same URL. The error log will now contain: Insecure dependency in truncate while running with -T switch at /tmp/locktest/File/NFSLock.pm line 417, <$fh> line 2. \t(in cleanup) Insecure dependency in truncate while running with -T switch at /tmp/locktest/File/NFSLock.pm line 417, <$fh> line 2.