Bug #84888 for perl-ldap: Segfaults when adding or deleting tainted values

Sat Apr 27 00:53:56 2013 x.guimard [...] free.fr - Ticket created

CC:	waoki [...] umnh.utah.edu
Subject:	Segfaults when adding or deleting tainted values

Hi, another bug reported by a Debian user (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679343): If Perl is run with taint checking and the 'add' or 'delete' methods on a Net::LDAP::Entry object are given an attribute with a tainted value, Perl will segfault when the 'update' method is used. Simple example: $ldapentry->add('memberUid' => $sometaintedvariable); $ldapentry->update($ldaphandle); print "This line is never reached because Perl crashes\n"; Observed behavior: Perl interpreter segfaults. (In my testing, valgrind produces a "Conditional jump or move depends on uninitialised value(s)" warning simply as a result of 'use Net::LDAP'.) Expected behavior: Perl interpreter does not segfault Complicated example follows: Show quoted text

------- BEGIN EXAMPLE ------- #!/usr/bin/perl -w -T # This program requires two arguments, a user in LDAP and a group to remove # that user from. # This program assumes a Kerberized environment and must be modified to # work in a different environment. use Net::LDAP; use Authen::SASL qw(Cyrus); use strict; my %conf; $conf{'basedn'} = 'PUT YOUR DN HERE'; $conf{'groupsdn'} = 'ou=Groups,' . $conf{'basedn'}; $conf{'ldapserver'} = 'PUT YOUR SERVER HERE'; my $adminuserdn = 'uid=' . getpwuid($<) . "/admin"; sub foo($$$) { my $lh = $_[0]; my $uid = $_[1]; my $gid = $_[2]; my $results = $lh->search(filter => '(&(objectClass=posixGroup)(cn=' . $gid . '))', base=>$conf{'basedn'}); die "Search returned multiple entries\n" if ($results->count() > 1); return undef if ($results->count() < 1); my $group = $results->pop_entry(); die "Got an entry for the wrong group" if ($group->dn ne 'cn=' . $gid . ',' . $conf{'groupsdn'}); $group->changetype('modify'); #$group->add('memberUid' => $uid); $group->delete('memberUid' => $uid); print "DEBUG: about to update\n"; print "DEBUG: ${uid}, ${gid}\n"; print $group->update($lh)->error_text(), "\n"; print "DEBUG: updated\n"; print "Removed ${uid} from ${gid} or added it instead\n"; } my $err; my $sh = Authen::SASL->new(mechanism=>'GSSAPI') or die "Can't get SASL handle\n"; my $lh = Net::LDAP->new($conf{'ldapserver'}, onerr=>sub{print('LDAP: ' . $_[0]);}); $err = $lh->start_tls(verify=>'require', capath=>'/etc/ssl/certs/'); $err->code && die 'LDAP start_tls: ' . $err->error; unless ($lh->root_dse()->supported_sasl_mechanism('GSSAPI')) { die "GSSAPI not supported for some reason\n"; } $err = $lh->bind($adminuserdn, sasl=>$sh, version=>3); $err->code && die 'LDAP bind: ' . $err->error; if ($#ARGV != 1) { die "Usage: crashit3.pl USER GROUP\n"; } my $user = shift @ARGV; my $group = shift @ARGV; $user =~ /(.*)/; my $notaintuser = $1; print "Running without tainted attr value\n"; foo($lh, $notaintuser, $group); print "Running with tained attr value\n"; foo($lh, $user, $group);

Sat May 11 13:00:25 2013 MARSCHAP [...] cpan.org - Correspondence added

RT-Send-CC:

waoki [...] umnh.utah.edu, x.guimard [...] free.fr, waoki [...] umnh.utah.edu

Hi, On Sat Apr 27 00:53:56 2013, GUIMARD wrote: Show quoted text

> [...] > If Perl is run with taint checking and the 'add' or 'delete' methods > on a > Net::LDAP::Entry object are given an attribute with a tainted value, > Perl will > segfault when the 'update' method is used. > > Simple example: > > $ldapentry->add('memberUid' => $sometaintedvariable); > $ldapentry->update($ldaphandle); > print "This line is never reached because Perl crashes\n"; > > Observed behavior: > > Perl interpreter segfaults. (In my testing, valgrind produces a > "Conditional > jump or move depends on uninitialised value(s)" warning simply as a > result of > 'use Net::LDAP'.) > > Expected behavior: > > Perl interpreter does not segfault > [...]

I tried to reproduce the issue in perl-ldap 0.55 on Perl v5.14.2 using the even simpler script below, but failed to stumble upon the error you reported. Show quoted text

------- BEGIN EXAMPLE ------- #!/usr/bin/perl -w -T use Net::LDAP; use Net::LDAP::Entry; die("Usage $0 <carLicense>\n") unless @ARGV; my $ldap = Net::LDAP->new('ldap://localhost') or die($@); my $mesg = $ldap->bind('cn=MANAGER,DC=ADPM,DC=DE', password => 'SECRET'); die $mesg->error if $mesg->code; my $entry = Net::LDAP::Entry->new('cn=TEST-USER,DC=ADPM,DC=DE'); $entry->changetype('modify'); $entry->add(carLicense => $ARGV[0]); $mesg = $entry->update($ldap); print "Sorry, bug cannot be reproduced\n"; die $mesg->error if $mesg->code;

------- END EXAMPLE ------- Can you try this simple script (with the constants adapted to your environment) to check whether you can reproduce the error. In addition to that, as perl-ldap is a pure Perl module, I am convinced, that perl-ldap cannot really be the cause of a segfault. In my opinion the segfault is either caused by a "non-pure-Perl" module used by perl-ldap or a bug in the Perl interpreter. If you still can reproduce the bug, can you try to dig a bit more in order to find out where the bug really happens. Unfortunately I cannot help further as I am not able to reproduce the issue. Best Peter

Sat May 11 13:00:25 2013 The RT System itself - Status changed from 'new' to 'open'

Mon May 13 17:52:41 2013 waoki [...] umnh.utah.edu - Correspondence added

CC:	x.guimard [...] free.fr
Subject:	Re: [rt.cpan.org #84888] Segfaults when adding or deleting tainted values
Date:	Mon, 13 May 2013 15:52:22 -0600
To:	Peter Marschall via RT <bug-perl-ldap [...] rt.cpan.org>
From:	Will Aoki <waoki [...] umnh.utah.edu>

On Sat, May 11, 2013 at 01:00:26PM -0400, Peter Marschall via RT wrote: Show quoted text

> Can you try this simple script (with the constants adapted to your environment) to check whether you can reproduce the error.

When I modify it to use Authen::SASL so that I can authenticate using GSSAPI, it crashes with a sgementation fault. If I set things up so that I can authenticate to the server without GSSAPI, it does not crash. Show quoted text

> In addition to that, as perl-ldap is a pure Perl module, I am convinced, that perl-ldap cannot really be the cause of a segfault. In my opinion the segfault is either caused by a "non-pure-Perl" module used by perl-ldap or a bug in the Perl interpreter.

It looks like Authen::SASL or something that only runs when SASL is in use is to blame.

Sun May 19 05:36:30 2013 MARSCHAP [...] cpan.org - Correspondence added

RT-Send-CC:

waoki [...] umnh.utah.edu, waoki [...] umnh.utah.edu

Hi, On Mon May 13 17:52:41 2013, waoki@umnh.utah.edu wrote: Show quoted text

> When I modify it to use Authen::SASL so that I can authenticate using > GSSAPI, it crashes with a sgementation fault. If I set things up so > that > I can authenticate to the server without GSSAPI, it does not crash.

you got me interested ;-) So I built a Kerberos installation and rewrote the script: Show quoted text

------- BEGIN EXAMPLE ------- #!/usr/bin/perl -w -T use Net::LDAP; use Authen::SASL qw(Cyrus); # CHECK A: switch between Perl & Cyrus use Net::LDAP::Entry; die("Usage $0 <carLicense>\n") unless @ARGV; my $ldap = Net::LDAP->new('ldap://SERVER.DOMAIN') or die($@); my $sh = Authen::SASL->new(mechanism => 'GSSAPI') or die "Can't get SASL handle\n"; #$sh = $sh->client_new('ldap', 'SERVER.DOMAIN'); # CHECK B: (un)comment this line my $mesg = $ldap->bind('cn=MANAGER,DC=ADPM,DC=DE', sasl => $sh); die "LDAP bind failed: ".$mesg->error.' ('.$mesg->code.')' if $mesg->code; my $entry = Net::LDAP::Entry->new('cn=TEST-USER,DC=ADPM,DC=DE'); $entry->changetype('modify'); $entry->add(carLicense => $ARGV[0]); $mesg = $entry->update($ldap); print "Sorry, sgmentation fault cannot be reproduced\n"; die "LDAP modify failed: ".$mesg->error.' ('.$mesg->code.')' if $mesg->code;

------- END EXAMPLE ------- Using this updated script I tried to reproduce the segfault, again using perl-ldap 0.55 on Perl v5.14.2. In no case of my tests I was able to reproduce a semgentation fault. But there were different outcomes depending on the different combinations of the checks named CHECK A & CHECK B above: * when using 'qw(Perl)' in CHECK A, the script ran successfuly independent whether client_new() was called in CHECK B or nor * when using 'qw(Cyrus)' in CHECK A, and called client_new() in the script, then the script finished without problems too. * only when 'qw(Cyrus)' in CHECK A and not calling client_new() in the script, [i.e. in exact the configuration as shown above], the script died in line 12 with the message "LDAP bind failed: generic failure (82) at ./crashit.pl line 12, <DATA> line 747." But it did not segfault. I guess the root cause here is that Authen::SASL::Cyrus cannot deal with an IP address as SASL host. The workaround here is to call client_new yourself. This is documented in the bind section of the Net::LDAP man page. Can you please test this updated script with all the 4 cases of CHECK A & B and report the individual results? Best Peter

Sat Jun 08 11:09:22 2013 MARSCHAP [...] cpan.org - Correspondence added

Hi, as the bug cannot be reproduced, and the bug submitter pointed to Authen::SASL as potential cause, I am rejecting this bug. Additional reason: no reaction to test request for 3 weeks. Peter

Sat Jun 08 11:09:23 2013 MARSCHAP [...] cpan.org - Status changed from 'open' to 'rejected'