From 86edd539f4995b49e57086e055b0c9a5571b2ff3 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 8 Nov 2008 02:13:37 +0100 Subject: [PATCH] po/todo: mostly security research Signed-off-by: intrigeri --- doc/plugins/po.mdwn | 79 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 62 insertions(+), 17 deletions(-) diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn index 39575fb63..6c0d49197 100644 --- a/doc/plugins/po.mdwn +++ b/doc/plugins/po.mdwn @@ -6,6 +6,8 @@ gettext, using [po4a](http://po4a.alioth.debian.org/). It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`). +[[!toc]] + Introduction ============ @@ -215,30 +217,71 @@ TODO Security checks --------------- -- Can any sort of directives be put in po files that will - cause mischief (ie, include other files, run commands, crash gettext, - whatever). The [PO file - format](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files) - should contain the answer. -- Any security issues on running po4a on untrusted content? - ### Security history -#### GNU gettext -- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966) - / [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283): +The only past security issues I could find in GNU gettext and po4a +are: + +- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966), + *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283): the autopoint and gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files. - -#### po4a -- - [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462): - lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to +- [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462): + `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to overwrite arbitrary files via a symlink attack on the gettextization.failed.po temporary file. +**FIXME**: check whether this plugin would have been a possible attack +vector to exploit these vulnerabilities. + +Depending on my mood, the lack of found security issues can either +indicate that there are none, or reveal that no-one ever bothered to +find (and publish) them. + +### PO file features + +Can any sort of directives be put in po files that will cause mischief +(ie, include other files, run commands, crash gettext, whatever)? + +> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files) +> directive is supposed to do so. + +### Running po4a on untrusted content + +Are there any security issues on running po4a on untrusted content? + +> To say the least, this issue is not well covered, at least publicly: +> +> - the documentation does not talk about it; +> - grep'ing the source code for `security` or `trust` gives no answer. +> +> I'll ask their opinion to the po4a maintainers. +> +> I'm not in a position to audit the code, but I had a look anyway: +> +> - no use of `system()`, `exec()` or backticks in `Locale::Po4a`; are +> there any other way to run external programs in Perl? +> - a symlink attack vulnerability was already discovered, so I "hope" +> the code has been checked to find some more already +> - the po4a parts we are using themselves use the following Perl +> modules: `DynaLoader`, `Encode`, `Encode::Guess`, +> `Text::WrapI18N`, `Locale::gettext` (`bindtextdomain`, +> `textdomain`, `gettext`, `dgettext`) +> +> --[[intrigeri]] + +### Fuzzing input + +I was not able to find any public information about gettext or po4a +having been tested with a fuzzing program, such as `zzuf` or `fusil`. +Moreover, some gettext parsers seem to be quite +[easy to crash](http://fusil.hachoir.org/trac/browser/trunk/fuzzers/fusil-gettext), +so it might be useful to bang gettext/po4a's heads against such +a program in order to easily detect some of the most obvious DoS. +[[--intrigeri]] + gettext/po4a rough corners -------------------------- @@ -246,8 +289,10 @@ gettext/po4a rough corners live in different directories): say bla.fr.po has been updated in repo2; pulling repo2 from repo1 seems to trigger a PO update, that changes bla.fr.po in repo1; then pushing repo1 to repo2 triggers - a PO update, that changes bla.fr.po in repo2; etc.; fixed in - `629968fc89bced6727981c0a1138072631751fee`? + a PO update, that changes bla.fr.po in repo2; etc.; quickly fixed in + `629968fc89bced6727981c0a1138072631751fee`, by disabling references + in Pot files. Using `Locale::Po4a::write_if_needed` might be + a cleaner solution. - new translations created in the web interface must get proper charset/encoding gettext metadata, else the next automatic PO update removes any non-ascii chars; possible solution: put such metadata -- 2.32.0.93.g670b81a890