Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Niko Tyni ntyni at debian.org
Tue Jan 12 22:37:37 UTC 2016 

[debian-security discussion list dropped, security team still in cc]

On Tue, Jan 12, 2016 at 01:38:51PM +0000, Dominic Hargreaves wrote:
> On Tue, Jan 12, 2016 at 12:54:19PM +0000, Chris Boot wrote:
> > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346

> > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
> > > installation of TWiki (http://twiki.org/) no longer functions. This
> > > happens due to CGI::Session::Driver::file complaining about taint.

> I am happy to prepare an updated package with the patch in from the RT
> ticket, though it would be good to get some second opinions on the
> correctness of that patch. I guess that should be released as a DSA
> update, given (as you point out) it's a regression indirectly introduced
> by the DSA. Another alternative would be the jessie point release, which
> for which the freeze date is later this week.

The proposed fixes of untainting the session ID at the point where it's
being used to generate a file name feel somewhat wrong to me. Shouldn't
the data get untainted earlier when it gets read from the session file?

I mostly agree with the reasoning in
 https://rt.cpan.org/Public/Bug/Display.html?id=80346#txn-1133036
about how the session file needs to be considered trusted: currently,
depending on the serializer used, untainted data in a session can
become tainted just because it got roundtripped in (presumably trusted)
persistent storage.

This suggests that the right place to untaint the data would be in the
CGI::Session::Driver::*::retrieve() functions, or (more easily) centrally
in CGI::Session::load(). Comments on the attached alternative patch?

I'm a bit uneasy about throwing away $self->{_CLAIMED_ID} taintedness,
but I expect that propagating it wouldn't fix the issue for real world
applications, where the security is in attackers not being able to guess
the session ID in the HTTP(s) cookies.

(As a side note, I wonder a bit about hypothetical applications storing
tainted data in a session variable, and getting it back untainted after
the storage roundtrip. But I see that none of the current serializers
preserve taintedness, and I suppose such applications could be declared
broken.)
-- 
Niko Tyni   ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Untaint-raw-data-coming-from-session-storage-backend.patch
Type: text/x-diff
Size: 1171 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20160113/0aedaac4/attachment.patch>

More information about the pkg-perl-maintainers mailing list