[Po4a-devel] po4a against untrusted content

intrigeri intrigeri at boum.org
Mon Jan 19 03:40:59 UTC 2009 

Hi,

Nicolas François wrote (15 Jan 2009 23:15:19 GMT) :
> Thanks for the 2 patches (and the documentation). I committed them.

Thanks. My ikiwiki po plugin now disables the use of Text::WrapI18n,
if the installed po4a version is recent enough (currently means: CVS).

> On Thu, Jan 15, 2009 at 06:12:58PM +0100, intrigeri at boum.org wrote:
>>
>> Side note: as this works around #470250, and fixes a security issue
>> (exposed by my ikiwiki plugin use case), is it realistic to get
>> something based on this patch into Lenny? I would happily provide the
>> same patch against the po4a package currently in Lenny.

> If #470250 is really a security issue (DOS, right?), I would prefer
> libtext-wrapi18n-perl to be fixed. This would also provide a fix for
> non-programmatic usage of the Locale::Po4a library and even usage of
> libtext-wrapi18n-perl outside of po4a.

I obviously would prefer this too. But last time I checked, your
proposed patch had received no answer from
libtext-wrapi18n-perl maintainer.

> Do you think this should be raised to the security team and
> release team?

I'm not familiar enough with Debian security process to know how
seriously this potential denial of service would be taken by
these teams, in particular at a time when testing is frozen and
release is imminent (yeah).

$ apt-cache rdepends libtext-wrapi18n-perl     
libtext-wrapi18n-perl
Reverse Depends:
  po4a
  po4a
  module-assistant
  docbook2x
  debconf-i18n

On the one hand, module-assistant and debconf-i18n are often, or
usually, run with root credentials. On the other hand, they are run
against input data that has been uploaded into Debian, and thus can be
considered as somehow trusted... else you've got harder problems
to solve.

docbook2x commands may be run by a user against untrusted data.
This package has no reverse dependencies. I can not think of
a situation where one would need to run them as root against untrusted
data, especially in an automated, non-interactive way, so it seems to
me the worse that can happen is having to hit Ctrl-C after a few
minutes lost waiting for the infinite loop to eventually end.

As a conclusion, my non-DD opinion on this topic is: this bug should
be fixed in Lenny, and thus deserves a NMU (if needed) and a freeze
exception, but a DSA would probably be a bit too much.

Bye,
--
  intrigeri <intrigeri at boum.org>
  | gnupg key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | If you must label the absolute, use it's proper name: Temporary.

More information about the Po4a-devel mailing list