Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Using values from web-form input in a qx{ sprintf "blah %s blah", $input } without taint checking the $input first is not safe, never was, never should have been considered safe. If someone ever said "it's only a way to crash the program, no way to break in here", they were not listening to history. Running system commands with user input is always going to be a target of opportunity, you have to defend that in depth. You've got to check for buffer overrun (even if you can't see the buffer ) and ;'s and
    # I had a sig when sigs were cool
    use Sig;
    • I think what’s happening is that they’re doing something like this:

      printf "%${precision}d", $somenumber;

      where $precision derives from user input. This exposes Perl code to all the same format string vulnerabilities [] that have commonly been found in C code. I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

      The right way to write that code, in the general case, is like so:

      $precision =~ s/%/%%/g;
      printf "%${precision}d", $somenumb

      • > I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

        So I assume that you have long since reported this through perlbug and/or perl5-porters and since it's a security flaw also contacted the branch maintainers (Rafael and Nicholas) directly?

        • I think what he is saying is that it isn't a *core* Perl flaw but a flaw in programming methodology.

          • Well, let's say it's both. Perl could have been more paranoid, C lib could be more paranoid, Perl script authors should be more paranoid. Unclear but I suspect this bug is only usable when Taint mode should have been wasn't? MaintPerl already has patch 26420 [] , so Perl is now a bit more paranoid. The Ubuntu security team reports the problem as follows. Also patched in FC4 security updates and FC3 backport. Somewhere along the line the CVE# got typo'd, 3912 [] vs 3962 [], which may someday be assigned to something else.
            Ubuntu Security Notice USN-222-1 December 02, 2005
            perl vulnerability
            CVE-2005-3962 [typo: should be 3912 []

            A security issue affects the following Ubuntu releases:

            Ubuntu 4.10 (Warty Warthog)
            Ubuntu 5.04 (Hoary Hedgehog)
            Ubuntu 5.10 (Breezy Badger)

            The following packages are affected:


            The problem can be corrected by upgrading the affected package to version 5.8.4-2ubuntu0.5 (for Ubuntu 4.10), 5.8.4-6ubuntu1.1 (for Ubuntu 5.04), or 5.8.7-5ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.

            Details follow:

            Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the Perl program.

            However, this attack was only possible in insecure Perl programs which use variables with user-defined values in string interpolations without checking their validity.

            # I had a sig when sigs were cool
            use Sig;