-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security-Hole in module Safe.pm #5975
Comments
From andreas.jurenda@chello.atWell, I have found a security problem in module Safe.pm Sorry at may english, but my tongues are Pascal, Basic, C, C++,... maybe Perl but neither german nor english, but I will do my best ;-) The problem belongs to these two versions of Safe.pm: In both versions there is the same code for Safe::reval() Safe::reval() execute a given code in a safe compartment. But this routine has a one-time safeness. These depends on the values of @_ at the entrypoint of the safe compartment. Have a look at the source code of Safe::reval() Source:sub reval { # Create anon sub ref in root of compartment. if ($strict) { use strict; $evalsub = eval $evalcode; } return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub); In the last line there is the call for the execution of our $expr. And thats the hole, because $_[1] is directly linked to $obj->{Mask}. Modifying of $_[1] manipulate directly the operationmask of the safe compartment! At the first time calling reval() and manipulation $_[1] has no effect. Example:$codefullopmask = '$_[1] = chr(0x00) x 44;'; # at Perl 5.6.1 and 5.8.0 there are 352 built in opcodes (352/8=44) $codewithtrape = <<'EOC'; use Safe; $safe->reval($codefullopmask); # this manipulate the operation mask to full capability of all opcodes The solution of this problem is very simple. You have only put the operation-mask into a temporary variable for execution of $expr. Solution:sub reval { # Create anon sub ref in root of compartment. if ($strict) { use strict; $evalsub = eval $evalcode; } my $temp_mask = $obj->{Mask}; # JURENDA: put opmask in temporary scalar Now you can't modify the operationmask within the safe compartment. Herzliche Grüße von Andreas Jurenda :-}) |
From goldbb2@earthlink.netAndreas Jurenda (via RT) wrote:
Personally, I would prefer that we should prevent user code from even return Opcode::_safe_call_sv("$root", "$obj->{Mask}", $evalsub); This way, trying to change $_[1] in the evaled sub produces death due to -- |
From @rgsBenjamin Goldberg wrote:
This won't produce death. _safe_call_sv executes the closure in Your proposed fix is equivalent to Andreas' one : it prevents that My preferred fix would be to empty @_ in the closure before eval'ing |
From @rgsAndreas Jurenda (via RT) wrote:
Thanks. I've applied the following patch to the current development version The included regression test is backportable to 5.8.0. (The number of opcodes Change 17976 by rgs@rgs-home on 2002/10/04 19:44:48 Fix bug #17744, suggested by Andreas Jurenda, Affected files ... ...... //depot/perl/MANIFEST#942 edit Differences ... ==== //depot/perl/MANIFEST#942 (text) ==== @@ -570,6 +570,7 @@ ==== //depot/perl/ext/Opcode/Safe.pm#18 (text) ==== @@ -214,11 +214,11 @@ - if ($strict) { use strict; $evalsub = eval $evalcode; } return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub); |
From @rgsRafael Garcia-Suarez wrote:
This has been enhanced by change #17977 : a similar bug was affecting Safe::rdo().
|
arthur@contiller.se - Status changed from 'new' to 'open' |
From arthur@contiller.seOn fredag, okt 4, 2002, at 23:19 Europe/Stockholm, Rafael Garcia-Suarez
Should I release a new Safe.pm onto CPAN which has the included Arthur |
From arthur@contiller.seOn fredag, okt 4, 2002, at 23:19 Europe/Stockholm, Rafael Garcia-Suarez
Should this be released as a CPAN release of Safe.pm? If so I can Arthur |
@rgs - Status changed from 'open' to 'resolved' |
From @rgsArthur Bergman wrote:
This is a good idea. The new regression test is designed to work on I don't think the CPAN backport needs to include the Opcode module. |
From arthur@contiller.seOn lördag, okt 5, 2002, at 11:00 Europe/Stockholm, Rafael Garcia-Suarez
Consider it done. Arthur |
arthur@contiller.se - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#17744 (status was 'resolved')
Searchable as RT17744$
The text was updated successfully, but these errors were encountered: