Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ModPerl: Dev

Re: Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security

 

 

ModPerl dev RSS feed   Index | Next | Previous | View Threaded


ntyni at debian

Mar 9, 2012, 12:50 PM

Post #1 of 4 (617 views)
Permalink
Re: Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security

On Mon, Feb 27, 2012 at 09:39:53PM +0000, Dominic Hargreaves wrote:
> Source: libapache2-mod-perl2
> Severity: normal
> Version: 2.0.5-5
> User: debian-qa [at] lists
> Usertags: hardening-format-security hardening
>
> With hardening flags enabled, this package FTBFS:
>
> In file included from Pool.xs:26:0:
> /build/dom-libapache2-mod-perl2_2.0.5-5-i386-x1v_OO/libapache2-mod-perl2-2.0.5/xs/APR/Pool/APR__Pool.h: In function 'mpxs_cleanup_run':
> /build/dom-libapache2-mod-perl2_2.0.5-5-i386-x1v_OO/libapache2-mod-perl2-2.0.5/xs/APR/Pool/APR__Pool.h:315:9: error: format not a string literal and no format arguments [-Werror=format-security]
> cc1: some warnings being treated as errors

There are three other places where a variable is used as a format
string to Perl_croak(). I'm attaching a trivial patch that fixes those.
This makes the build with -Werror=format-security succeed.

If the variable can be externally controlled by untrusted input, this
is a security problem. The two usage warnings use constant strings so
they seem safe, but I'm afraid I can't tell whether this is the case
for ERRSV in the mpxs_cleanup_run() phase.

I'm cc'ing the modperl development list. Could somebody please look
into this? Also cc'ing the Debian security team as a heads up.

In any case, please consider the patch for 2.0.6.

Thanks for your work on mod_perl,
--
Niko Tyni ntyni [at] debian
Attachments: 0001-Use-controlled-format-strings-for-Perl_croak.patch (2.13 KB)


torsten.foertsch at gmx

Mar 12, 2012, 5:33 AM

Post #2 of 4 (570 views)
Permalink
Re: Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security [In reply to]

On Friday, 09 March 2012 22:50:33 Niko Tyni wrote:
> - Perl_croak(aTHX_ SvPV_nolen(ERRSV));
> + Perl_croak(aTHX_ "%s", SvPV_nolen(ERRSV));

Thanks!

But isn't the right way to rethrow/propagate an exception (with respect to
exception objects) this?

Perl_croak(aTHX_ Nullch);

Unless any objections I'm going to fix it that way.

Torsten Förtsch

--
Need professional modperl support? Hire me! (http://foertsch.name)

Like fantasy? http://kabatinte.net


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe [at] perl
For additional commands, e-mail: dev-help [at] perl


torsten.foertsch at gmx

Mar 12, 2012, 6:58 AM

Post #3 of 4 (570 views)
Permalink
Re: Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security [In reply to]

On Friday, 09 March 2012 22:50:33 Niko Tyni wrote:
> The two usage warnings use constant strings so
> they seem safe,

They are safe since the "usage" variable is constant and does not contain any
%-sequences. I do not see the need to fix anything here. What do I miss?

> but I'm afraid I can't tell whether this is the case
> for ERRSV in the mpxs_cleanup_run() phase.

These occasions are fixed as of revision 1299669 as described in my previous
mail.

Torsten Förtsch

--
Need professional modperl support? Hire me! (http://foertsch.name)

Like fantasy? http://kabatinte.net


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe [at] perl
For additional commands, e-mail: dev-help [at] perl


ntyni at debian

Mar 12, 2012, 7:26 AM

Post #4 of 4 (570 views)
Permalink
Re: Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security [In reply to]

On Mon, Mar 12, 2012 at 02:58:05PM +0100, Torsten Förtsch wrote:
> On Friday, 09 March 2012 22:50:33 Niko Tyni wrote:
> > The two usage warnings use constant strings so
> > they seem safe,
>
> They are safe since the "usage" variable is constant and does not contain any
> %-sequences. I do not see the need to fix anything here. What do I miss?

The fact that gcc can't see this and so building with
-Werror=format-security fails. Consider that part of the patch as
silencing false positive warnings.

> > but I'm afraid I can't tell whether this is the case
> > for ERRSV in the mpxs_cleanup_run() phase.
>
> These occasions are fixed as of revision 1299669 as described in my previous
> mail.

Thanks!

Can you think of a scenario where an attacker could inject format
sequences to ERRSV? That would make earlier releases vulnerable.
--
Niko Tyni ntyni [at] debian

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe [at] perl
For additional commands, e-mail: dev-help [at] perl

ModPerl dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.