move security to discussion
The plugin list inlines all pages under plugins with a few exceptions, and would have included this page. Moving it to discussion avoids the problem.master
Joey Hess
parent
e827247a86
commit
1869505691
|
|
@ -1,12 +1,14 @@
|
||||||
[[!toc levels=2]]
|
[[!toc ]]
|
||||||
|
|
||||||
----
|
----
|
||||||
|
|
||||||
# Probable holes
|
# Security review
|
||||||
|
|
||||||
|
## Probable holes
|
||||||
|
|
||||||
_(The list of things to fix.)_
|
_(The list of things to fix.)_
|
||||||
|
|
||||||
## po4a-gettextize
|
### po4a-gettextize
|
||||||
|
|
||||||
* po4a CVS 2009-01-16
|
* po4a CVS 2009-01-16
|
||||||
* Perl 5.10.0
|
* Perl 5.10.0
|
||||||
|
|
@ -40,12 +42,12 @@ nothing about the place where the crash happens.
|
||||||
|
|
||||||
----
|
----
|
||||||
|
|
||||||
# Potential gotchas
|
## Potential gotchas
|
||||||
|
|
||||||
_(Things not to do.)_
|
_(Things not to do.)_
|
||||||
|
|
||||||
|
|
||||||
## Blindly activating more po4a format modules
|
### Blindly activating more po4a format modules
|
||||||
|
|
||||||
The format modules we want to use have to be checked, as not all are
|
The format modules we want to use have to be checked, as not all are
|
||||||
safe (e.g. the LaTeX module's behaviour is changed by commands
|
safe (e.g. the LaTeX module's behaviour is changed by commands
|
||||||
|
|
@ -54,19 +56,19 @@ the content.
|
||||||
|
|
||||||
----
|
----
|
||||||
|
|
||||||
# Hopefully non-holes
|
## Hopefully non-holes
|
||||||
|
|
||||||
_(AKA, the assumptions that will be the root of most security holes...)_
|
_(AKA, the assumptions that will be the root of most security holes...)_
|
||||||
|
|
||||||
## PO file features
|
### PO file features
|
||||||
|
|
||||||
No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
|
No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
|
||||||
directive that can be put in po files is supposed to cause mischief
|
directive that can be put in po files is supposed to cause mischief
|
||||||
(ie, include other files, run commands, crash gettext, whatever).
|
(ie, include other files, run commands, crash gettext, whatever).
|
||||||
|
|
||||||
## gettext
|
### gettext
|
||||||
|
|
||||||
### Security history
|
#### Security history
|
||||||
|
|
||||||
The only past security issue I could find in GNU gettext is
|
The only past security issue I could find in GNU gettext is
|
||||||
[CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
|
[CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
|
||||||
|
|
@ -81,14 +83,14 @@ use, either directly or indirectly, the faulty scripts.
|
||||||
Note: the lack of found security issues can either indicate that there
|
Note: the lack of found security issues can either indicate that there
|
||||||
are none, or reveal that no-one ever bothered to find or publish them.
|
are none, or reveal that no-one ever bothered to find or publish them.
|
||||||
|
|
||||||
### msgmerge
|
#### msgmerge
|
||||||
|
|
||||||
`refreshpofiles()` runs this external program.
|
`refreshpofiles()` runs this external program.
|
||||||
|
|
||||||
* I was not able to crash it with `zzuf`.
|
* I was not able to crash it with `zzuf`.
|
||||||
* I could not find any past security hole.
|
* I could not find any past security hole.
|
||||||
|
|
||||||
### msgfmt
|
#### msgfmt
|
||||||
|
|
||||||
`isvalidpo()` runs this external program.
|
`isvalidpo()` runs this external program.
|
||||||
|
|
||||||
|
|
@ -96,9 +98,9 @@ are none, or reveal that no-one ever bothered to find or publish them.
|
||||||
when too many errors are detected.
|
when too many errors are detected.
|
||||||
* I could not find any past security hole.
|
* I could not find any past security hole.
|
||||||
|
|
||||||
## po4a
|
### po4a
|
||||||
|
|
||||||
### Security history
|
#### Security history
|
||||||
|
|
||||||
The only past security issue I could find in po4a is
|
The only past security issue I could find in po4a is
|
||||||
[CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
|
[CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
|
||||||
|
|
@ -112,7 +114,7 @@ use, either directly or indirectly, the faulty `gettextize` function.
|
||||||
Note: the lack of found security issues can either indicate that there
|
Note: the lack of found security issues can either indicate that there
|
||||||
are none, or reveal that no-one ever bothered to find or publish them.
|
are none, or reveal that no-one ever bothered to find or publish them.
|
||||||
|
|
||||||
### General feeling
|
#### General feeling
|
||||||
|
|
||||||
Are there any security issues on running po4a on untrusted content?
|
Are there any security issues on running po4a on untrusted content?
|
||||||
|
|
||||||
|
|
@ -126,7 +128,7 @@ a convincing manner, stating that processing untrusted content was not
|
||||||
an initial goal, and analysing in detail the possible issues.
|
an initial goal, and analysing in detail the possible issues.
|
||||||
The following analysis was done with his help.
|
The following analysis was done with his help.
|
||||||
|
|
||||||
### Details
|
#### Details
|
||||||
|
|
||||||
* the core (`Po.pm`, `Transtractor.pm`) should be safe
|
* the core (`Po.pm`, `Transtractor.pm`) should be safe
|
||||||
* po4a source code was fully checked for other potential symlink
|
* po4a source code was fully checked for other potential symlink
|
||||||
|
|
@ -141,14 +143,14 @@ The following analysis was done with his help.
|
||||||
input charset (`file_in_charset`) before asking `TransTractor` to
|
input charset (`file_in_charset`) before asking `TransTractor` to
|
||||||
read any file. NB: this hack depends on po4a internals.
|
read any file. NB: this hack depends on po4a internals.
|
||||||
|
|
||||||
#### Locale::Po4a::Text
|
##### Locale::Po4a::Text
|
||||||
|
|
||||||
* does not run any external program
|
* does not run any external program
|
||||||
* only `do_paragraph()` builds regexp's that expand untrusted
|
* only `do_paragraph()` builds regexp's that expand untrusted
|
||||||
variables; according to [[Joey]], this is "Freaky code, but seems ok
|
variables; according to [[Joey]], this is "Freaky code, but seems ok
|
||||||
due to use of `quotementa`".
|
due to use of `quotementa`".
|
||||||
|
|
||||||
#### Text::WrapI18N
|
##### Text::WrapI18N
|
||||||
|
|
||||||
`Text::WrapI18N` can cause DoS
|
`Text::WrapI18N` can cause DoS
|
||||||
([Debian bug #470250](http://bugs.debian.org/470250)).
|
([Debian bug #470250](http://bugs.debian.org/470250)).
|
||||||
|
|
@ -158,7 +160,7 @@ If a recent enough po4a (>=0.35) is installed, this module's use is
|
||||||
fully disabled. Else, the wiki administrator is warned about this
|
fully disabled. Else, the wiki administrator is warned about this
|
||||||
at runtime.
|
at runtime.
|
||||||
|
|
||||||
#### Term::ReadKey
|
##### Term::ReadKey
|
||||||
|
|
||||||
`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a
|
`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a
|
||||||
works nicely without it. But the po4a Debian package recommends
|
works nicely without it. But the po4a Debian package recommends
|
||||||
|
|
@ -171,9 +173,9 @@ be able to guarantee anything wrt. security.
|
||||||
If a recent enough po4a (>=2009-01-15 CVS, which will probably be
|
If a recent enough po4a (>=2009-01-15 CVS, which will probably be
|
||||||
released as 0.35) is installed, this module's use is fully disabled.
|
released as 0.35) is installed, this module's use is fully disabled.
|
||||||
|
|
||||||
#### Fuzzing input
|
##### Fuzzing input
|
||||||
|
|
||||||
##### po4a-translate
|
###### po4a-translate
|
||||||
|
|
||||||
* po4a CVS 2009-01-16
|
* po4a CVS 2009-01-16
|
||||||
* Perl 5.10.0
|
* Perl 5.10.0
|
||||||
|
|
@ -202,5 +204,5 @@ section.
|
||||||
|
|
||||||
----
|
----
|
||||||
|
|
||||||
# Fixed holes
|
## Fixed holes
|
||||||
|
|
||||||
Loading…
Reference in New Issue