From 18695056917a2f34a36e5e89df7f01deff9ab640 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 29 Mar 2009 15:59:53 -0400 Subject: move security to discussion The plugin list inlines all pages under plugins with a few exceptions, and would have included this page. Moving it to discussion avoids the problem. --- doc/plugins/po/discussion.mdwn | 208 +++++++++++++++++++++++++++++++++++++++++ doc/plugins/po/security.mdwn | 206 ---------------------------------------- 2 files changed, 208 insertions(+), 206 deletions(-) create mode 100644 doc/plugins/po/discussion.mdwn delete mode 100644 doc/plugins/po/security.mdwn (limited to 'doc/plugins') diff --git a/doc/plugins/po/discussion.mdwn b/doc/plugins/po/discussion.mdwn new file mode 100644 index 000000000..570b2a6ef --- /dev/null +++ b/doc/plugins/po/discussion.mdwn @@ -0,0 +1,208 @@ +[[!toc ]] + +---- + +# Security review + +## Probable holes + +_(The list of things to fix.)_ + +### po4a-gettextize + +* po4a CVS 2009-01-16 +* Perl 5.10.0 + +`po4a-gettextize` uses more or less the same po4a features as our +`refreshpot` function. + +Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly +errors out, complaining it was not able to detect the input charset; +it leaves no incomplete file on disk. I therefore had to pretend the +input was in UTF-8, as does the po plugin. + + zzuf -c -s 13 -r 0.1 \ + po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \ + -m GPL-3 -p GPL-3.pot + +Crashes with: + + Malformed UTF-8 character (UTF-16 surrogate 0xdfa4) in substitution + iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1449. + Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm + line 1449. + +An incomplete pot file is left on disk. Unfortunately Po.pm tells us +nothing about the place where the crash happens. + +> It's fairly standard perl behavior when fed malformed utf-8. As long +> as it doesn't crash ikiwiki, it's probably acceptable. Ikiwiki can +> do some similar things itself when fed malformed utf-8 (doesn't +> crash tho) --[[Joey]] + +---- + +## Potential gotchas + +_(Things not to do.)_ + + +### Blindly activating more po4a format modules + +The format modules we want to use have to be checked, as not all are +safe (e.g. the LaTeX module's behaviour is changed by commands +included in the content); they may use regexps generated from +the content. + +---- + +## Hopefully non-holes + +_(AKA, the assumptions that will be the root of most security holes...)_ + +### PO file features + +No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files) +directive that can be put in po files is supposed to cause mischief +(ie, include other files, run commands, crash gettext, whatever). + +### gettext + +#### Security history + +The only past security issue I could find in GNU gettext is +[CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966), +*i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283): +the autopoint and gettextize scripts in the GNU gettext package (1.14 +and later versions) may allow local users to overwrite files via +a symlink attack on temporary files. + +This plugin would not have allowed to exploit this bug, as it does not +use, either directly or indirectly, the faulty scripts. + +Note: the lack of found security issues can either indicate that there +are none, or reveal that no-one ever bothered to find or publish them. + +#### msgmerge + +`refreshpofiles()` runs this external program. + +* I was not able to crash it with `zzuf`. +* I could not find any past security hole. + +#### msgfmt + +`isvalidpo()` runs this external program. + +* I was not able to make it behave badly using zzuf: it exits cleanly + when too many errors are detected. +* I could not find any past security hole. + +### po4a + +#### Security history + +The only past security issue I could find in po4a is +[CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462): +`lib/Locale/Po4a/Po.pm` in po4a before 0.32 allowed local users to +overwrite arbitrary files via a symlink attack on the +gettextization.failed.po temporary file. + +This plugin would not have allowed to exploit this bug, as it does not +use, either directly or indirectly, the faulty `gettextize` function. + +Note: the lack of found security issues can either indicate that there +are none, or reveal that no-one ever bothered to find or publish them. + +#### General feeling + +Are there any security issues on running po4a on untrusted content? + +To say the least, this issue is not well covered, at least publicly: + +* the documentation does not talk about it; +* grep'ing the source code for `security` or `trust` gives no answer. + +On the other hand, a po4a developer answered my questions in +a convincing manner, stating that processing untrusted content was not +an initial goal, and analysing in detail the possible issues. +The following analysis was done with his help. + +#### Details + +* the core (`Po.pm`, `Transtractor.pm`) should be safe +* po4a source code was fully checked for other potential symlink + attacks, after discovery of one such issue +* the only external program run by the core is `diff`, in `Po.pm` (in + parts of its code we don't use) +* `Locale::gettext` is only used to display translated error messages +* Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to + think that `Encode` is not safe" +* Nicolas François has "no reason to think that `Encode::Guess` is not + safe". The po plugin nevertheless avoids using it by defining the + input charset (`file_in_charset`) before asking `TransTractor` to + read any file. NB: this hack depends on po4a internals. + +##### Locale::Po4a::Text + +* does not run any external program +* only `do_paragraph()` builds regexp's that expand untrusted + variables; according to [[Joey]], this is "Freaky code, but seems ok + due to use of `quotementa`". + +##### Text::WrapI18N + +`Text::WrapI18N` can cause DoS +([Debian bug #470250](http://bugs.debian.org/470250)). +It is optional, and we do not need the features it provides. + +If a recent enough po4a (>=0.35) is installed, this module's use is +fully disabled. Else, the wiki administrator is warned about this +at runtime. + +##### Term::ReadKey + +`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a +works nicely without it. But the po4a Debian package recommends +`libterm-readkey-perl`, so it will probably be installed on most +systems using the po plugin. + +`Term::ReadKey` has too far reaching implications for us to +be able to guarantee anything wrt. security. + +If a recent enough po4a (>=2009-01-15 CVS, which will probably be +released as 0.35) is installed, this module's use is fully disabled. + +##### Fuzzing input + +###### po4a-translate + +* po4a CVS 2009-01-16 +* Perl 5.10.0 + +`po4a-translate` uses more or less the same po4a features as our +`filter` function. + +Without specifying an input charset, same behaviour as +`po4a-gettextize`, so let's specify UTF-8 as input charset as of now. + +`LICENSES` is a 21M file containing 100 concatenated copies of all the +files in `/usr/share/common-licenses/`; I had no existing PO file or +translated versions at hand, which renders these tests +quite incomplete. + + zzuf -cv -s 0:10 -r 0.001:0.3 \ + po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \ + -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr + +... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step, +against some kind of infinite loop, deadlock, or any similar beast. + +The root of this bug lies in `Text::WrapI18N`, see the corresponding +section. + + +---- + +## Fixed holes + diff --git a/doc/plugins/po/security.mdwn b/doc/plugins/po/security.mdwn deleted file mode 100644 index d1bbf6c05..000000000 --- a/doc/plugins/po/security.mdwn +++ /dev/null @@ -1,206 +0,0 @@ -[[!toc levels=2]] - ----- - -# Probable holes - -_(The list of things to fix.)_ - -## po4a-gettextize - -* po4a CVS 2009-01-16 -* Perl 5.10.0 - -`po4a-gettextize` uses more or less the same po4a features as our -`refreshpot` function. - -Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly -errors out, complaining it was not able to detect the input charset; -it leaves no incomplete file on disk. I therefore had to pretend the -input was in UTF-8, as does the po plugin. - - zzuf -c -s 13 -r 0.1 \ - po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \ - -m GPL-3 -p GPL-3.pot - -Crashes with: - - Malformed UTF-8 character (UTF-16 surrogate 0xdfa4) in substitution - iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1449. - Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm - line 1449. - -An incomplete pot file is left on disk. Unfortunately Po.pm tells us -nothing about the place where the crash happens. - -> It's fairly standard perl behavior when fed malformed utf-8. As long -> as it doesn't crash ikiwiki, it's probably acceptable. Ikiwiki can -> do some similar things itself when fed malformed utf-8 (doesn't -> crash tho) --[[Joey]] - ----- - -# Potential gotchas - -_(Things not to do.)_ - - -## Blindly activating more po4a format modules - -The format modules we want to use have to be checked, as not all are -safe (e.g. the LaTeX module's behaviour is changed by commands -included in the content); they may use regexps generated from -the content. - ----- - -# Hopefully non-holes - -_(AKA, the assumptions that will be the root of most security holes...)_ - -## PO file features - -No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files) -directive that can be put in po files is supposed to cause mischief -(ie, include other files, run commands, crash gettext, whatever). - -## gettext - -### Security history - -The only past security issue I could find in GNU gettext is -[CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966), -*i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283): -the autopoint and gettextize scripts in the GNU gettext package (1.14 -and later versions) may allow local users to overwrite files via -a symlink attack on temporary files. - -This plugin would not have allowed to exploit this bug, as it does not -use, either directly or indirectly, the faulty scripts. - -Note: the lack of found security issues can either indicate that there -are none, or reveal that no-one ever bothered to find or publish them. - -### msgmerge - -`refreshpofiles()` runs this external program. - -* I was not able to crash it with `zzuf`. -* I could not find any past security hole. - -### msgfmt - -`isvalidpo()` runs this external program. - -* I was not able to make it behave badly using zzuf: it exits cleanly - when too many errors are detected. -* I could not find any past security hole. - -## po4a - -### Security history - -The only past security issue I could find in po4a is -[CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462): -`lib/Locale/Po4a/Po.pm` in po4a before 0.32 allowed local users to -overwrite arbitrary files via a symlink attack on the -gettextization.failed.po temporary file. - -This plugin would not have allowed to exploit this bug, as it does not -use, either directly or indirectly, the faulty `gettextize` function. - -Note: the lack of found security issues can either indicate that there -are none, or reveal that no-one ever bothered to find or publish them. - -### General feeling - -Are there any security issues on running po4a on untrusted content? - -To say the least, this issue is not well covered, at least publicly: - -* the documentation does not talk about it; -* grep'ing the source code for `security` or `trust` gives no answer. - -On the other hand, a po4a developer answered my questions in -a convincing manner, stating that processing untrusted content was not -an initial goal, and analysing in detail the possible issues. -The following analysis was done with his help. - -### Details - -* the core (`Po.pm`, `Transtractor.pm`) should be safe -* po4a source code was fully checked for other potential symlink - attacks, after discovery of one such issue -* the only external program run by the core is `diff`, in `Po.pm` (in - parts of its code we don't use) -* `Locale::gettext` is only used to display translated error messages -* Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to - think that `Encode` is not safe" -* Nicolas François has "no reason to think that `Encode::Guess` is not - safe". The po plugin nevertheless avoids using it by defining the - input charset (`file_in_charset`) before asking `TransTractor` to - read any file. NB: this hack depends on po4a internals. - -#### Locale::Po4a::Text - -* does not run any external program -* only `do_paragraph()` builds regexp's that expand untrusted - variables; according to [[Joey]], this is "Freaky code, but seems ok - due to use of `quotementa`". - -#### Text::WrapI18N - -`Text::WrapI18N` can cause DoS -([Debian bug #470250](http://bugs.debian.org/470250)). -It is optional, and we do not need the features it provides. - -If a recent enough po4a (>=0.35) is installed, this module's use is -fully disabled. Else, the wiki administrator is warned about this -at runtime. - -#### Term::ReadKey - -`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a -works nicely without it. But the po4a Debian package recommends -`libterm-readkey-perl`, so it will probably be installed on most -systems using the po plugin. - -`Term::ReadKey` has too far reaching implications for us to -be able to guarantee anything wrt. security. - -If a recent enough po4a (>=2009-01-15 CVS, which will probably be -released as 0.35) is installed, this module's use is fully disabled. - -#### Fuzzing input - -##### po4a-translate - -* po4a CVS 2009-01-16 -* Perl 5.10.0 - -`po4a-translate` uses more or less the same po4a features as our -`filter` function. - -Without specifying an input charset, same behaviour as -`po4a-gettextize`, so let's specify UTF-8 as input charset as of now. - -`LICENSES` is a 21M file containing 100 concatenated copies of all the -files in `/usr/share/common-licenses/`; I had no existing PO file or -translated versions at hand, which renders these tests -quite incomplete. - - zzuf -cv -s 0:10 -r 0.001:0.3 \ - po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \ - -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr - -... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step, -against some kind of infinite loop, deadlock, or any similar beast. - -The root of this bug lies in `Text::WrapI18N`, see the corresponding -section. - - ----- - -# Fixed holes - -- cgit v1.2.3