Date: Fri, 21 Jan 2011 16:44:37 GMT From: "Matthew X. Economou" <xenophon+fbsdports@irtnog.org> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/154207: security/p5-Crypt-RandPasswd: patch for method invocation bug in Crypt::RandPasswd->random_chars_in_range() Message-ID: <201101211644.p0LGibew091977@red.freebsd.org> Resent-Message-ID: <201101211650.p0LGoCrn099585@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 154207
>Category: ports
>Synopsis: security/p5-Crypt-RandPasswd: patch for method invocation bug in Crypt::RandPasswd->random_chars_in_range()
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 21 16:50:12 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Matthew X. Economou
>Release: FreeBSD/amd64 9-CURRENT
>Organization:
IRTNOG
>Environment:
FreeBSD lp-001c230aae10.irtnog.net 9.0-CURRENT FreeBSD 9.0-CURRENT #2: Wed Jan 19 09:42:11 EST 2011 root@lp-001c230aae10.irtnog.net:/usr/obj/usr/src/sys/LP-001C230AAE10 amd64
>Description:
If an external caller invokes the the method Crypt::RandPasswd->random_chars_in_range(), Perl prepends the object name to the function's argument list. This causes the local variables $minlen, $maxlen, $lo_char, and $hi_char to be set incorrectly ($minlen is set to the object name, $maxlen is set to what should have been the minimum length, $lo_char is set to what should have been the maximum length, and $hi_char is set to what should have been the first character in the given range), so that the method returns an incorrect result.
When random_chars_in_range() is called from within the module (e.g., by the letters() method), Perl does not modify the argument list, so the random_chars_in_range() method works as documented.
>How-To-Repeat:
These two commands should have an equivalent result (32 random lower-case letters):
perl -MCrypt::RandPasswd -e 'print Crypt::RandPasswd->letters(32,32),"\n";'
perl -MCrypt::RandPasswd -e 'print Crypt::RandPasswd->random_chars_in_range(32,32, "a" => "z"),"\n";'
However, the second command will result in a random string from zero to 32 characters long taken from the set ASCII code 32 (space) through the letter "a".
>Fix:
Apply this patch to the Crypt::RandPasswd sources, which in random_chars_in_range(), adds a check to the argument list length prior to parsing, and if it is greater than 4 items, shifts the list down by one:
--- Crypt-RandPasswd-0.02/lib/Crypt/RandPasswd.pm.orig 2011-01-20 15:12:21.305822700 -0500
+++ Crypt-RandPasswd-0.02/lib/Crypt/RandPasswd.pm 2011-01-21 10:55:30.872462500 -0500
@@ -1466,6 +1466,7 @@
=cut
sub random_chars_in_range($$$$) {
+ @_ > 4 and shift;
my( $minlen, $maxlen, $lo_char, $hi_char ) = @_;
$minlen <= $maxlen or die "minlen $minlen is greater than maxlen $maxlen";
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201101211644.p0LGibew091977>