Skip Menu |

This queue is for tickets about the Net-SNMP CPAN distribution.

Report information
The Basics
Id: 82384
Status: stalled
Priority: 0/
Queue: Net-SNMP
People
Owner: Nobody in particular
Requestors: RCAPUTO [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Jan 03 14:08:48 2013 RCAPUTO [...] cpan.org - Ticket created
Subject: taint failure in Net::SNMP::Security::USM
key must be an untainted string scalar at /Library/Perl/5.10.0/Net/SNMP/Security/USM.pm line 1497. One must attempt an AES128 session with a SNMP v3 host, as in this (with the particulars properly configured): #!perl -T use strict; use warnings; use Data::Dumper; use Net::SNMP qw(oid_lex_sort oid_base_match :snmp); my ($session, $error) = Net::SNMP->session( -authpassword => 'auth', -privpassword => 'priv', -username => 'user', -authprotocol => 'MD5', -retries => '2', -version => '3', -hostname => '10.0.0.2', -privprotocol => 'AES128', -nonblocking => '1', -port => '161', -timeout => '3' ); my $list = $session->var_bind_list(); snmp_dispatcher(); if ($session->error()) { print $session->error() . "\n"; } else { print "OK\n"; }
  Tue Jan 08 00:40:42 2013 RCAPUTO [...] cpan.org - Correspondence added
The error is actually silent until I put a "warh $@" just after the block eval{} in Net::SNMP::Dispatcher::_callback_execute(). With the warning, I get: key must be an untainted string scalar at /Library/Perl/5.10.0/Net/SNMP/Security/USM.pm line 1497.
  Tue Jan 08 00:40:43 2013 RCAPUTO [...] cpan.org - Status changed from 'new' to 'open'
  Wed Jan 09 15:38:41 2013 RCAPUTO [...] cpan.org - Correspondence added
It looks like throughout Net::SNMP, _priv_key is only assigned in a few places in one file, Net::SNMP::Security::USM. All signs point to _password_localize() being the culprit. Every other assignment doesn't seem to introduce taint. Most of _password_localize() looks benign, and then there's the last line: return $digest->add($d . $this->{_engine_id} . $d)->digest(); It looks like the _engine_id member can become tainted from three sources. 1. A tainted value can be passed into the constructor. I'm okay with delegating untainting to the caller. We're not passing in anything, however. 2. A default $ENGINE_ID and _engine_id member are set in USM.pm at line 688. The data source is via hostname() and gethostbyname(), which are tainted. 3. The _engine_id member can also be set by _engine_id_discovery(), which gets the engine ID from a message. That's probably tainted. I hope this helps.
  Thu Jan 24 09:53:04 2013 RCAPUTO [...] cpan.org - Correspondence added
One can also see the tainting problem by enabling -debug: error: [664] Net::SNMP::Dispatcher::_callback_execute(): key must be an untainted string scalar at /Library/Perl/5.10.0/Net/SNMP/Security/USM.pm line 1497.
  Mon May 20 14:50:06 2013 RCAPUTO [...] cpan.org - Correspondence added
This bug is blocking a product release at work. Is there anything I can do to expedite its resolution?
  Tue Jul 15 11:22:15 2014 RCAPUTO [...] cpan.org - Correspondence added
Marking as stalled, if RT will let me. It's been about 18 months since I reported the problem. Would a patch help? I have a patch at work. We use it to fix this issue whenever we set up another build machine.
  Tue Jul 15 11:22:16 2014 RCAPUTO [...] cpan.org - Status changed from 'open' to 'stalled'