Bug #83303 for Crypt-RSA: [PATCH] insecure library usage in Crypt::RSA with FindBin

Wed Feb 13 11:49:22 2013 hasch-cpan [...] cozap.com - Ticket created

Subject:

[PATCH] insecure library usage in Crypt::RSA with FindBin

As of version 1.99, Crypt-RSA installs two library modules with insecure ``use lib'' statements. Effectively, some directory paths relative to the location of the calling script are included in @INC before other modules are loaded. This can make Crypt::RSA and other modules run code located near the calling script in place of code installed with the original libraries. This is hardly ever desirable. Using Crypt::RSA should not have this kind of side effect on @INC. I have added a patch fixing and testing this issue. -Martin

Subject:

Crypt-RSA-1.99-MHASCH-01.patch

diff -Nrup Crypt-RSA-1.99.orig/lib/Crypt/RSA/Key/Private/SSH.pm Crypt-RSA-1.99/lib/Crypt/RSA/Key/Private/SSH.pm --- Crypt-RSA-1.99.orig/lib/Crypt/RSA/Key/Private/SSH.pm 2009-06-07 02:08:48.000000000 +0200 +++ Crypt-RSA-1.99/lib/Crypt/RSA/Key/Private/SSH.pm 2013-02-13 16:28:49.000000000 +0100 @@ -34,8 +34,6 @@ sub put_mp_int { package Crypt::RSA::Key::Private::SSH; -use FindBin qw($Bin); -use lib "$Bin/../../../../../lib"; use strict; use constant PRIVKEY_ID => "SSH PRIVATE KEY FILE FORMAT 1.1\n"; use vars qw( %CIPHERS ); diff -Nrup Crypt-RSA-1.99.orig/lib/Crypt/RSA.pm Crypt-RSA-1.99/lib/Crypt/RSA.pm --- Crypt-RSA-1.99.orig/lib/Crypt/RSA.pm 2009-06-07 02:16:43.000000000 +0200 +++ Crypt-RSA-1.99/lib/Crypt/RSA.pm 2013-02-13 16:28:21.000000000 +0100 @@ -10,8 +10,6 @@ ## $Id: RSA.pm,v 1.48 2001/09/25 12:44:55 vipul Exp $ package Crypt::RSA; -use FindBin qw($Bin); -use lib "$Bin/../../lib"; use strict; use base 'Class::Loader'; use base 'Crypt::RSA::Errorhandler'; diff -Nrup Crypt-RSA-1.99.orig/t/16-inc-safe.t Crypt-RSA-1.99/t/16-inc-safe.t --- Crypt-RSA-1.99.orig/t/16-inc-safe.t 1970-01-01 01:00:00.000000000 +0100 +++ Crypt-RSA-1.99/t/16-inc-safe.t 2013-02-13 16:39:18.000000000 +0100 @@ -0,0 +1,23 @@ +# Check if @INC is manipulated by certain library modules. + +# Author: Martin Becker, February 2013. +# This code is put into public domain. You can do with it what you like. + +BEGIN { + print "1..1\n"; + my @old_inc = @INC; + require Crypt::RSA; + require Crypt::RSA::Key::Private::SSH; + my $success = @old_inc == @INC; + if (!$success) { + print "# BEFORE:\n"; + foreach my $i (0 .. $#old_inc) { + print '# $INC[', $i, '] was ', $old_inc[$i], "\n"; + } + print "# AFTER:\n"; + foreach my $i (0 .. $#INC) { + print '# $INC[', $i, '] is ', $INC[$i], "\n"; + } + } + print $success? (): 'not ', "ok 1 - size of \@INC unchanged\n"; +}

Tue Feb 19 01:23:18 2013 DANAJ [...] cpan.org - Correspondence added

On Wed Feb 13 11:49:22 2013, MHASCH wrote: Show quoted text

> As of version 1.99, Crypt-RSA installs two library modules > with insecure ``use lib'' statements. Effectively, some directory > paths relative to the location of the calling script are included in > @INC before other modules are loaded. This can make Crypt::RSA and > other modules run code located near the calling script in place of > code installed with the original libraries. This is hardly ever > desirable. Using Crypt::RSA should not have this kind of side effect > on @INC. > > I have added a patch fixing and testing this issue. > > -Martin >

This is fixed in Alt::Crypt::RSA::BigInt, by the way.

Tue Feb 19 01:23:19 2013 The RT System itself - Status changed from 'new' to 'open'