Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <507EE4E7.5070601@redhat.com>
Date: Wed, 17 Oct 2012 11:03:35 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Matthias Weckbecker <mweckbecker@...e.de>
Subject: Re: CVE request: ruby file creation due in insertion
 of illegal NUL character

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2012 04:25 AM, Matthias Weckbecker wrote:
> On Wednesday 17 October 2012 11:44:35 Fabian Keil wrote:
>> Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:
>>> On 10/16/2012 08:40 AM, Matthias Weckbecker wrote:
>>>> Technically, this would also apply to Perl (at least with
>>>> 5.12.3).
>>> 
>>> It's also the case with perl 5.14.2 (just tested). :/
>> 
>> At least for Perl I consider this a feature.
>> 
> 
> I agree. I also think that an application which lets such things
> happen (ie allow arbitrary content to be passed to open()) is
> rather to blame than the language (/interpreter) itself. But the
> same applies to Ruby, IMO.

One thought is if you're interfacing to things like file systems which
generally don't handle NUL bytes in file names[filesystems] I would
hope the programming language does the smart thing and spit out an
error. Avtually looking at that page it appears that no modern file
systems allows NUL in a file name (and in general I suspect it's a bad
idea/leads to some nasty edge case issues).

[filesystems]
http://en.wikipedia.org/wiki/Comparison_of_file_systems

Plus I'm looking for documentation on this, in ruby for example:

http://www.ruby-doc.org/stdlib-1.9.3/libdoc/pathname/rdoc/Pathname.html

===============
Create a Pathname object from the given String (or String-like
object). If path contains a NUL character (\0), an ArgumentError is
raised.
===============

and I would have generally assumed that to be the case across all
related functions.

As for Perl:

http://perldoc.perl.org/perlopentut.html

===============
If magic open is a bit too magical for you, you don't have to turn to
sysopen. To open a file with arbitrary weird characters in it, it's
necessary to protect any leading and trailing whitespace. Leading
whitespace is protected by inserting a "./" in front of a filename
that starts with whitespace. Trailing whitespace is protected by
appending an ASCII NUL byte ("\0" ) at the end of the string.

This assumes, of course, that your system considers dot the current
working directory, slash the directory separator, and disallows ASCII
NULs within a valid filename.
===============

So as we can see from the file system comparison table this is almost
always the case.

I think it's disingenuous to blame every app that uses something as
common as "open" for doing something dangerous when it's pretty clear
that this behaviour is not expected, I think solving it in open/etc
makes a lot more sense than trying to fix every app that uses open
(which is.. probably all of them).

Personally I think the perlopentut case makes sense, using NUL as an
end of string marker. What happens if stuff comes after it though?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQfuTnAAoJEBYNRVNeJnmT17kP/iLt6rkgsqZC5dixAaNhoy9K
fsOfw5m0qgG1mUYzs0MHGN+PV4IQDlOrils7y/uuqHAKcacdf+goJio6l9rLcXQG
X9eHEvqa4bibKHZ2fYJzaPD+5dyvytOZ4EqkJ/MTbpHAjA7ySI1EsVAa0SFlXsvH
rffPCK+clqcTiXpvh3nhrprZo7r5pElyndVKFEiKvbEb8pqQVE1B3sZ2Q2xdhk70
zcMyy1aM0dSWxR2YtGJI7pmueJiU4BXHocsA/xM6RJuiWtS1bBykpclTDZ9SEYqQ
KTyjevVp0pnjRj+qh0xY1fctEyN5KYZg9DL5Y7XVUWVrFXWKPxe+CyOIyZBWXqwC
6bTV0Y20jdQB5VpxhyTOAajeRmLHPmrFGqP+AxGGUQQZDAqvr6i3z88+0tJLqUiz
29O4DcCg/HrCBt0h24SPEJvR4xJCEo0KeFcOwD2qfWo5kLt+eNyEmF3afreG6jPL
hxKU4xH9rQTr4xWsJvCLe6iOc1u0iEszpjz5ofNmJkkj1m9r04fNeAMpO0f0lWla
WJ10M9P6wwbVQSk81cMwFEhWJLjgiKLgd8+dk1A8lkfF/ndCUyKuPHTgfHyEI6QM
SchAdfU9U4FSEzd+58dBR5vGK0NKZLOd5Lb5ya16aZ2cNas0tyfbPRyl5HOOPjvK
Yc10u8KplHE0xWXhv0u2
=7EkV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.