Skip Menu |

This queue is for tickets about the File-MMagic-XS CPAN distribution.

Report information
The Basics
Id: 75568
Status: open
Priority: 0/
Queue: File-MMagic-XS
People
Owner: Nobody in particular
Requestors: dom [...] cpan.org
Cc: gregoa [...] cpan.org
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.09006
Fixed in: (no value)

History Show all quoted text
  Tue Mar 06 06:23:51 2012 dom [...] cpan.org - Ticket created
Subject: -Werror=format-security failure
As per <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661539> there is a format string vulnerability in this module: src/perl-mmagic-xs.c: In function 'fmm_parse_magic_line': src/perl-mmagic-xs.c:930:9: error: format not a string literal and no format arguments [-Werror=format-security] ... cc1: some warnings being treated as errors This can be triggered with $ perl -MFile::MMagic::XS -e 'File::MMagic::XS->new- Show quoted text
>add_magic("%s%s%s%s")'
Segmentation fault (core dumped) It's probably not exploitable in any real sense. Trivial patch attached (from Niko).
Subject: 0001-Call-croak-with-a-controlled-format-string.patch
From 2a247110eb4ec1828e844410dd83249bb5af1e1e Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Mon, 5 Mar 2012 22:13:56 +0200 Subject: [PATCH] Call croak() with a controlled format string This fixes builds with -Werror=format-security. The fatal error with an invalid offset contains a format string error that could be triggered with a crafted magic line. $ perl -MFile::MMagic::XS -e 'File::MMagic::XS->new->add_magic("%s%s%s%s")' Segmentation fault (core dumped) --- src/perl-mmagic-xs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/perl-mmagic-xs.c b/src/perl-mmagic-xs.c index 019afb0..2af0d6e 100644 --- a/src/perl-mmagic-xs.c +++ b/src/perl-mmagic-xs.c @@ -927,7 +927,7 @@ fmm_parse_magic_line(PerlFMM *state, char *l, int lineno) err = newSVpvf( "fmm_parse_magic_line: offset %s invalid", l); FMM_SET_ERROR(state, err); - croak(SvPV_nolen(err)); + croak("%s", SvPV_nolen(err)); } l = t; -- 1.7.9.1
  Fri Dec 27 15:54:31 2013 gregoa [...] cpan.org - Correspondence added
updated version of the patch against 0.09007.
Subject: format_string_fix.diff
>From 2a247110eb4ec1828e844410dd83249bb5af1e1e Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Mon, 5 Mar 2012 22:13:56 +0200 Subject: [PATCH] Call croak() with a controlled format string Bug-Debian: http://bugs.debian.org/661539 Bug: https://rt.cpan.org/Public/Bug/Display.html?id=75568 This fixes builds with -Werror=format-security. The fatal error with an invalid offset contains a format string error that could be triggered with a crafted magic line. $ perl -MFile::MMagic::XS -e 'File::MMagic::XS->new->add_magic("%s%s%s%s")' Segmentation fault (core dumped) --- src/perl-mmagic-xs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) --- a/src/perl-mmagic-xs.c +++ b/src/perl-mmagic-xs.c @@ -1108,7 +1108,7 @@ error: FMM_SET_ERROR(state, err); - croak(SvPV_nolen(err)); + croak("%s", SvPV_nolen(err)); } /* maps to mod_mime_magic::apprentice */
  Fri Dec 27 15:54:31 2013 The RT System itself - Status changed from 'new' to 'open'
  Fri Dec 27 15:54:49 2013 gregoa [...] cpan.org - Cc GREGOA added