thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Geyer (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (THRIFT-4928) Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException
Date Sun, 18 Aug 2019 17:08:00 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16910015#comment-16910015
] 

Jens Geyer edited comment on THRIFT-4928 at 8/18/19 5:07 PM:
-------------------------------------------------------------

I may overlook sth, therefore I ask you to add some substance to the 3 claims you made. If
it is an issue, we absolutely should fix it, but first we need to analyze the situation and
get some clarity about what we are doing here, I'd say

1) Why do we need to start the process with an CVE?
2) Why is "The problem is found in a taint path" an actual problem in the given context(s)?
5) Why do we have to confirm the claim you made?

Re 3: Given we have a problem with tainted values, if the values in the variables are used
only sometimes, don't we still have a problem sometimes after applying the proposed fix? 

Re 5 and since you did not really answer 2: How can an integer value rendered into a string
variable be a security issue, if the string is an exception or log message that is not an
executable statement in any form, manner or shape and the values are very likely either known
to the client anyways and/or of no other significance, at least as far as I can tell? 




was (Author: jensg):
I may overlook sth, therefore I ask you to add some substance to the 3 claims you made. If
it is an issue, we absolutely should fix it, but first we need to analyze the situation and
get some clarity about what we are doing here, I'd say

1) Why do we need to start the process with an CVE?
2) Why is "The problem is found in a taint path" an actual problem in the given context(s)?
5) Why do we have to confirm the claim you made?

Re 3: Given we have a problem with tainted values, if the values in the variables are used
only sometimes, don't we still have a problem sometimes after applying the proposed fix? 

Re 5 and since you did not really answer 2: How can an integer value rendered into a string
variable be a security issue, if the string is an exception message that is not an executable
statement in any form, manner or shape and the values are very likely either known to the
client anyways and/or of no other significance, at least as far as I can tell? 



> Sensitive information about expected and actual reading lengths (len, got) is leaked
from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4928
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4928
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.11.0, 0.12.0
>         Environment: 	Ubuntu 16.04.3 LTS
> 	Open JDK version "1.8.0_191" build 25.191-b12
>            Reporter: xiaoqin.fu
>            Priority: Major
>
>    Operations: During Apache Thrift integration testing, I developed a calculator application
with a client and a server. The client sent a computational command and get the result from
the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths
finally.
>   The source: org.apache.thrift.transport.TIOStreamTransport:
>     public int read(byte[] buf, int off, int len) throws TTransportException {
>     if (inputStream_ == null) {
>       throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null
inputStream");
>     }
>     int bytesRead;
> 	......
>       bytesRead = inputStream_.read(buf, off, len);
> 	......
>   }
>   
>   The sink: org.apache.thrift.transport.TTransport, 
>   public int readAll(byte[] buf, int off, int len)
> 	throws TTransportException {
> 	......	
> 	if (ret <= 0) {
> 		throw new TTransportException(
> 		"Cannot read. Remote side has closed. Tried to read "
> 			+ len
> 			+ " bytes, but only got "
> 			+ got
> 			+ " bytes. (This is often indicative of an internal error on the server side. Please
check your server logs.)");
> 		}
> 	......
>   }
>   Sensitive information about expected and actual reading lengths (len, got) is leaked.
>   The tainted path:
>    org.apache.thrift.transport.TIOStreamTransport --> 
>    org.apache.thrift.transport.TTransport
>    
> I am going to submit a CVE, so please confirm this is not a true positive.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message