Skip Menu |

This queue is for tickets about the Authen-Captcha CPAN distribution.

Report information
The Basics
Id: 81832
Status: resolved
Priority: 0/
Queue: Authen-Captcha
People
Owner: Nobody in particular
Requestors: Xavier (no email address)
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 1.023
Fixed in: 1.023_001

History Show all quoted text
  Sun Dec 09 05:18:13 2012 x.guimard [...] free.fr - Ticket created
Subject: Security improvement
Hi all, A Debian user has proposed the join patch with this comment : When running with perl's '-T' taint switch, the package aborts the script with following error when trying to unlink expired images: Insecure dependency in unlink while running with -T switch at /usr/share/perl5/Authen/Captcha.pm line 261. This introduces a security issue for scripts using the package as they cannot use the '-T' switch. This script demonstrate the problem: ---------------------------------------------------------------------- #!/usr/bin/perl -T use Authen::Captcha; my $captcha = Authen::Captcha->new( expire => 1, data_folder => '/tmp', output_folder => '/tmp', ); my $md5sum = $captcha->generate_code(5); sleep(3); $captcha->check_code($md5sum, $md5sum); exit 0;
Subject: fix409731_not-taint-safe.patch
Description: fix a security issue reported by perl -T Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409731 Reviewed-By: Xavier Guimard <x.guimard@free.fr> Author: Ernesto Hernández-Novich <emhn@usb.ve> --- a/Captcha.pm +++ b/Captcha.pm @@ -232,7 +232,11 @@ sub check_code foreach my $line (@data) { $line =~ s/\n//; - my ($data_time,$data_code) = split(/::/,$line); + # Fixes Debian Bug #409731 + # Extract untainted time and code + # Patch provided by Chris Dunlop <chris@onthe.net.au> + # applied by Ernesto Hernández-Novich <emhn@usb.ve> + my ($data_time,$data_code) = $line =~ m/(^\d+)::([[:xdigit:]]{32})$/; my $png_file = File::Spec->catfile($self->output_folder(),$data_code . ".png"); if ($data_code eq $crypt) @@ -351,7 +355,12 @@ sub _save_code foreach my $line (@data) { $line =~ s/\n//; - my ($data_time,$data_code) = split(/::/,$line); + # Fixes Debian Bug #409731 + # Extract untainted time and code + # Patch provided by Chris Dunlop <chris@onthe.net.au> + # applied by Ernesto Hernández-Novich <emhn@usb.ve> + my ($data_time,$data_code) = $line =~ m/(^\d+)::([[:xdigit:]]{32})$/; + if ( (($current_time - $data_time) > ($self->expire())) || ($data_code eq $md5) ) { # remove expired captcha, or a dup
  Sun Dec 09 07:18:23 2012 x.guimard [...] free.fr - Correspondence added
Le Dim 09 Déc 2012 05:18:13, GUIMARD a écrit : Show quoted text
> Hi all, > > A Debian user has proposed the join patch with this comment : > > When running with perl's '-T' taint switch, the package aborts > the script with following error when trying to unlink expired > images: > > Insecure dependency in unlink while running with -T switch at > /usr/share/perl5/Authen/Captcha.pm line 261. > > This introduces a security issue for scripts using the package > as they cannot use the '-T' switch. > > This script demonstrate the problem: > > ---------------------------------------------------------------------- > #!/usr/bin/perl -T > use Authen::Captcha; > my $captcha = Authen::Captcha->new( > expire => 1, > data_folder => '/tmp', > output_folder => '/tmp', > ); > my $md5sum = $captcha->generate_code(5); > sleep(3); > $captcha->check_code($md5sum, $md5sum); > exit 0;
This bug is a duplicate of https://rt.cpan.org/Public/Bug/Display.html?id=30806
  Sun Dec 09 07:18:23 2012 The RT System itself - Status changed from 'new' to 'open'
  Wed Mar 12 11:33:13 2014 lubo.rintel [...] gooddata.com - Correspondence added
Hi! Thanks for your report. We've just uploaded 1.024 that addresses this issue to CPAN and it will hit mirrors in a couple of hours. Have a nice day! Lubo
  Wed Mar 12 11:33:14 2014 lubo.rintel [...] gooddata.com - Status changed from 'open' to 'resolved'
  Wed Mar 12 11:33:14 2014 lubo.rintel [...] gooddata.com - Fixed in 1.023_001 added