Bug#679343: libnet-ldap-perl: Segfaults when adding or deleting tainted values
Will Aoki
waoki at umnh.utah.edu
Thu Jun 28 00:02:30 UTC 2012
Package: libnet-ldap-perl
Version: 1:0.4001-2
Severity: normal
If Perl is run with taint checking and the 'add' or 'delete' methods on a
Net::LDAP::Entry object are given an attribute with a tainted value, Perl will
segfault when the 'update' method is used.
Simple example:
$ldapentry->add('memberUid' => $sometaintedvariable);
$ldapentry->update($ldaphandle);
print "This line is never reached because Perl crashes\n";
Observed behavior:
Perl interpreter segfaults. (In my testing, valgrind produces a "Conditional
jump or move depends on uninitialised value(s)" warning simply as a result of
'use Net::LDAP'.)
Expected behavior:
Perl interpreter does not segfault
Complicated example follows:
------- BEGIN EXAMPLE -------
#!/usr/bin/perl -w -T
# This program requires two arguments, a user in LDAP and a group to remove
# that user from.
# This program assumes a Kerberized environment and must be modified to
# work in a different environment.
use Net::LDAP;
use Authen::SASL qw(Cyrus);
use strict;
my %conf;
$conf{'basedn'} = 'PUT YOUR DN HERE';
$conf{'groupsdn'} = 'ou=Groups,' . $conf{'basedn'};
$conf{'ldapserver'} = 'PUT YOUR SERVER HERE';
my $adminuserdn = 'uid=' . getpwuid($<) . "/admin";
sub foo($$$) {
my $lh = $_[0];
my $uid = $_[1];
my $gid = $_[2];
my $results = $lh->search(filter => '(&(objectClass=posixGroup)(cn=' . $gid . '))', base=>$conf{'basedn'});
die "Search returned multiple entries\n" if ($results->count() > 1);
return undef if ($results->count() < 1);
my $group = $results->pop_entry();
die "Got an entry for the wrong group" if ($group->dn ne 'cn=' . $gid . ',' . $conf{'groupsdn'});
$group->changetype('modify');
#$group->add('memberUid' => $uid);
$group->delete('memberUid' => $uid);
print "DEBUG: about to update\n";
print "DEBUG: ${uid}, ${gid}\n";
print $group->update($lh)->error_text(), "\n";
print "DEBUG: updated\n";
print "Removed ${uid} from ${gid} or added it instead\n";
}
my $err;
my $sh = Authen::SASL->new(mechanism=>'GSSAPI') or die "Can't get SASL handle\n";
my $lh = Net::LDAP->new($conf{'ldapserver'}, onerr=>sub{print('LDAP: ' . $_[0]);});
$err = $lh->start_tls(verify=>'require', capath=>'/etc/ssl/certs/');
$err->code && die 'LDAP start_tls: ' . $err->error;
unless ($lh->root_dse()->supported_sasl_mechanism('GSSAPI')) {
die "GSSAPI not supported for some reason\n";
} $err = $lh->bind($adminuserdn, sasl=>$sh, version=>3);
$err->code && die 'LDAP bind: ' . $err->error;
if ($#ARGV != 1) {
die "Usage: crashit3.pl USER GROUP\n";
}
my $user = shift @ARGV;
my $group = shift @ARGV;
$user =~ /(.*)/;
my $notaintuser = $1;
print "Running without tainted attr value\n";
foo($lh, $notaintuser, $group);
print "Running with tained attr value\n";
foo($lh, $user, $group);
------- END EXAMPLE -------
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libnet-ldap-perl depends on:
ii libconvert-asn1-perl 0.22-1 Perl module for encoding and decod
ii libwww-perl 5.836-1 Perl HTTP/WWW client/server librar
ii perl [libmime-base64-p 5.10.1-17squeeze3 Larry Wall's Practical Extraction
libnet-ldap-perl recommends no packages.
Versions of packages libnet-ldap-perl suggests:
ii libauthen-sasl-perl 2.1500-1 Authen::SASL - SASL Authentication
ii libio-socket-ssl-perl 1.33-1+squeeze1 Perl module implementing object or
ii liburi-perl 1.54-2 module to manipulate and access UR
ii libxml-parser-perl 2.36-1.1+b1 Perl module for parsing XML files
ii libxml-sax-perl 0.96+dfsg-2 Perl module for using and building
ii perl [libdigest-md5-pe 5.10.1-17squeeze3 Larry Wall's Practical Extraction
-- no debconf information
More information about the pkg-perl-maintainers
mailing list