Skip Menu |

This queue is for tickets about the Crypt-CBC CPAN distribution.

Report information
The Basics
Id: 81983
Status: open
Priority: 0/
Queue: Crypt-CBC

People
Owner: LDS [...] cpan.org
Requestors: marcus [...] mindmined.com
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 2.31
Fixed in: (no value)



Subject: auto-generated salts inadvertently taint the key
When running in Taint mode, Crypt::CBC will inadvertently taint the $key when generating a salt automatically. It ends up bailing on its own _taintcheck in this event: #!/usr/bin/perl -T use Crypt::CBC 2.31; my $cipher = Crypt::CBC->new( -key => 'my secret key', ); results in error: "Taint checks are turned on and your key is tainted. Please untaint the key and try again" The easy workaround is to provide my own salt... no problem with the following: my $cipher = Crypt::CBC->new( -key => 'my secret key', -salt => 'my__salt', ); Perl v5.8.8 Linux 2.6.18-308.20.1.el5 #1 SMP Tue Nov 6 04:38:29 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
I cannot reproduce this in perl 5.10. Do you have any idea where the inadvertent tainting is occurring? On Fri Dec 14 13:41:55 2012, marcusdelgreco wrote: Show quoted text
> When running in Taint mode, Crypt::CBC will inadvertently taint the > $key when generating a > salt automatically. It ends up bailing on its own _taintcheck in this > event: > > #!/usr/bin/perl -T > use Crypt::CBC 2.31; > my $cipher = Crypt::CBC->new( > -key => 'my secret key', > ); > > results in error: > > "Taint checks are turned on and your key is tainted. Please untaint > the key and try again" > > The easy workaround is to provide my own salt... no problem with the > following: > > my $cipher = Crypt::CBC->new( > -key => 'my secret key', > -salt => 'my__salt', > ); > > Perl v5.8.8 > Linux 2.6.18-308.20.1.el5 #1 SMP Tue Nov 6 04:38:29 EST 2012 x86_64 > x86_64 x86_64 > GNU/Linux
From: marcus [...] mindmined.com
I omitted the call to 'encrypt'... this is what triggers the error at runtime after the $cipher is defined: $cipher->encrypt( 'string' ); I think the tainting might be happening in Crypt::CBC::_getrandom_bytes() ... ? On Fri Dec 14 14:05:06 2012, LDS wrote: Show quoted text
> I cannot reproduce this in perl 5.10. Do you have any idea where the > inadvertent tainting is occurring? > > On Fri Dec 14 13:41:55 2012, marcusdelgreco wrote:
> > When running in Taint mode, Crypt::CBC will inadvertently taint the > > $key when generating a > > salt automatically. It ends up bailing on its own _taintcheck in this > > event: > > > > #!/usr/bin/perl -T > > use Crypt::CBC 2.31; > > my $cipher = Crypt::CBC->new( > > -key => 'my secret key', > > ); > > > > results in error: > > > > "Taint checks are turned on and your key is tainted. Please untaint > > the key and try again" > > > > The easy workaround is to provide my own salt... no problem with the > > following: > > > > my $cipher = Crypt::CBC->new( > > -key => 'my secret key', > > -salt => 'my__salt', > > ); > > > > Perl v5.8.8 > > Linux 2.6.18-308.20.1.el5 #1 SMP Tue Nov 6 04:38:29 EST 2012 x86_64 > > x86_64 x86_64 > > GNU/Linux
> >
Fixed in version 2.32.
From: marcus [...] mindmined.com
On Fri Dec 14 14:21:55 2012, LDS wrote: Show quoted text
> Fixed in version 2.32.
Wow. Thank you. :)