po/todo: mostly security research
Signed-off-by: intrigeri <intrigeri@boum.org>master
parent
3c6c129100
commit
86edd539f4
|
@ -6,6 +6,8 @@ gettext, using [po4a](http://po4a.alioth.debian.org/).
|
|||
|
||||
It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`).
|
||||
|
||||
[[!toc]]
|
||||
|
||||
Introduction
|
||||
============
|
||||
|
||||
|
@ -215,30 +217,71 @@ TODO
|
|||
Security checks
|
||||
---------------
|
||||
|
||||
- Can any sort of directives be put in po files that will
|
||||
cause mischief (ie, include other files, run commands, crash gettext,
|
||||
whatever). The [PO file
|
||||
format](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
|
||||
should contain the answer.
|
||||
- Any security issues on running po4a on untrusted content?
|
||||
|
||||
### Security history
|
||||
|
||||
#### GNU gettext
|
||||
- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966)
|
||||
/ [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
|
||||
The only past security issues I could find in GNU gettext and po4a
|
||||
are:
|
||||
|
||||
- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
|
||||
*i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
|
||||
the autopoint and gettextize scripts in the GNU gettext package
|
||||
1.14 and later versions, as used in Trustix Secure Linux 1.5
|
||||
through 2.1 and other operating systems, allows local users to
|
||||
overwrite files via a symlink attack on temporary files.
|
||||
|
||||
#### po4a
|
||||
-
|
||||
[CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
|
||||
lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to
|
||||
- [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
|
||||
`lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to
|
||||
overwrite arbitrary files via a symlink attack on the
|
||||
gettextization.failed.po temporary file.
|
||||
|
||||
**FIXME**: check whether this plugin would have been a possible attack
|
||||
vector to exploit these vulnerabilities.
|
||||
|
||||
Depending on my mood, the lack of found security issues can either
|
||||
indicate that there are none, or reveal that no-one ever bothered to
|
||||
find (and publish) them.
|
||||
|
||||
### PO file features
|
||||
|
||||
Can any sort of directives be put in po files that will cause mischief
|
||||
(ie, include other files, run commands, crash gettext, whatever)?
|
||||
|
||||
> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
|
||||
> directive is supposed to do so.
|
||||
|
||||
### Running po4a on untrusted content
|
||||
|
||||
Are there any security issues on running po4a on untrusted content?
|
||||
|
||||
> To say the least, this issue is not well covered, at least publicly:
|
||||
>
|
||||
> - the documentation does not talk about it;
|
||||
> - grep'ing the source code for `security` or `trust` gives no answer.
|
||||
>
|
||||
> I'll ask their opinion to the po4a maintainers.
|
||||
>
|
||||
> I'm not in a position to audit the code, but I had a look anyway:
|
||||
>
|
||||
> - no use of `system()`, `exec()` or backticks in `Locale::Po4a`; are
|
||||
> there any other way to run external programs in Perl?
|
||||
> - a symlink attack vulnerability was already discovered, so I "hope"
|
||||
> the code has been checked to find some more already
|
||||
> - the po4a parts we are using themselves use the following Perl
|
||||
> modules: `DynaLoader`, `Encode`, `Encode::Guess`,
|
||||
> `Text::WrapI18N`, `Locale::gettext` (`bindtextdomain`,
|
||||
> `textdomain`, `gettext`, `dgettext`)
|
||||
>
|
||||
> --[[intrigeri]]
|
||||
|
||||
### Fuzzing input
|
||||
|
||||
I was not able to find any public information about gettext or po4a
|
||||
having been tested with a fuzzing program, such as `zzuf` or `fusil`.
|
||||
Moreover, some gettext parsers seem to be quite
|
||||
[easy to crash](http://fusil.hachoir.org/trac/browser/trunk/fuzzers/fusil-gettext),
|
||||
so it might be useful to bang gettext/po4a's heads against such
|
||||
a program in order to easily detect some of the most obvious DoS.
|
||||
[[--intrigeri]]
|
||||
|
||||
gettext/po4a rough corners
|
||||
--------------------------
|
||||
|
||||
|
@ -246,8 +289,10 @@ gettext/po4a rough corners
|
|||
live in different directories): say bla.fr.po has been updated in
|
||||
repo2; pulling repo2 from repo1 seems to trigger a PO update, that
|
||||
changes bla.fr.po in repo1; then pushing repo1 to repo2 triggers
|
||||
a PO update, that changes bla.fr.po in repo2; etc.; fixed in
|
||||
`629968fc89bced6727981c0a1138072631751fee`?
|
||||
a PO update, that changes bla.fr.po in repo2; etc.; quickly fixed in
|
||||
`629968fc89bced6727981c0a1138072631751fee`, by disabling references
|
||||
in Pot files. Using `Locale::Po4a::write_if_needed` might be
|
||||
a cleaner solution.
|
||||
- new translations created in the web interface must get proper
|
||||
charset/encoding gettext metadata, else the next automatic PO update
|
||||
removes any non-ascii chars; possible solution: put such metadata
|
||||
|
|
Loading…
Reference in New Issue