Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re^3: Patch an old Perl version

by BrowserUk (Pope)
on Nov 10, 2013 at 12:26 UTC ( #1061902=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Patch an old Perl version
in thread Patch an old Perl version

Specifically, the REHASH attack is *proven*, (or there would be no one-line test for it)

Sorry n'all, but that is rubbish.

*All* your one liner demonstrates is: does this perl contain that change/patch? Nothing -- literally nothing -- more.

It in no way makes any attempt to demonstrate why the patch might be needed.

It simple demonstrates that something is different; without giving any indication of how -- or even whether -- the changed behaviour is an improvement in some way.

, requires no probing, and far from being "almost impossible" is actually trivial execute.

Again. A bland statement unsubstantiated by your post; your paper; the text of CVE-2013-1667; or anything else that you've have said publicly on the subject(*).

To attack various web platforms one would simply construct an URL containing the right keys as parameters to the request, and since the proof of concept attack requires only chars in "a-z" doing this is trivial.

Again. This is so trivialised a scenario as to be meaningless.

A whole bunch of reasoning deleted; let's cut to the chase ...

So, if I send you a url of a perl script running on my machine under an unpatched version of Perl; you'll make it crash in short order?

*that I've been able to find. After months of looking!


With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.


Comment on Re^3: Patch an old Perl version
Re^4: Patch an old Perl version
by demerphq (Chancellor) on Nov 10, 2013 at 23:18 UTC

    Sorry, but I do not believe it is responsible to reveal the attack key set at this time. Everybody on the perl5-security list has seen the full attack set and can confirm what I say about it. The fact they rolled security releases for all the major versions should be sufficient proof.

    ---
    $world=~s/war/peace/g

      I do not believe it is responsible to reveal the attack key set at this time.

      If you attack a url on my machine; I'm the only one who could see the key set. You're accusing me of being a risk.


      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.
        very interesting. As yet admitted, the technical points of this discussion are, by far, deeper to reach for me. But..
        in my serendipity perl experience i ever though Perl had not to be patched: may be upgraded but was not something like a browser (a new minor release every 20 requests...).

        Now i read about an obscure bug about HASH implementation: uh i'm interested! i use old CGIs, my programs use many complex data structures, and i like a lot hashes (quite often i end with stuff like: ${ $first{second}{third} }->[23] ).
        ok. good guy spotted the bug and realesed a patch. normally i download it, read some instruction, and apply it. Seems this is not that case. Better a full upgrade. to be sure.

        BrowserUK: i read carefully many of your posts and i trust you as many other monks here. I learned that your posts, many times, seems like porcupines in a morbid wool thread: but this appearence is not due to a polemic spirit but to a critic one. You think with your brain and before you accept some explication you need to be convinced yourself and prove it. this is the rigth approach of scientinst and many times your dissentient affirmations putted me on a safer way.

        That said, on the other side, in the learning process, is fundamental to trust the 'master' or the 'teacher' or the 'book' (as you prefear). I'm happy that demerphq and other peoples had not shouted on the net about the feasibilty of an hash or rehash attack: i don't want a pletora of bots be in queue in front of my 80 doors.. i prefear the vulnerabilty be known when my son will use Perl 6.8.

        thanks to all for the intersting discussion.

        L*

        There are no rules, there are no thumbs..
        Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.
Re^4: Patch an old Perl version
by rjbs (Pilgrim) on Nov 12, 2013 at 17:47 UTC
    The attack is real and proven. I've let it crash my machine in a realistic simulation of the real world. Please patch your world-facing perls.
    rjbs
      The attack is real and proven.

      First: prove it!

      But, even if that does happen, to what consequence?

      The instance of perl running the cgi script in response to the attacker's request, self terminates. Meaning the attack is over.

      The web-server continues to run; new instances of perl are run to handle everyone else's requests.

      The total damage done is EXACTLY ZERO. Nada. Zilch.

      No DoS; No DDos; No affect on other users; nor the web-site; nor anything permanent.

      The attacker's session end's immediately. Big deal?


      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.

        Look, I really wish you would stop repeating this irresponsible nonsense. You are a senior monk. People here on the site respect you and listen to you. IMO with that respect comes responsibility. Repeatedly saying that an attack you *clearly* do not understand is not real is NOT responsible.

        So please, just stop it.

        ---
        $world=~s/war/peace/g

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1061902]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (9)
As of 2014-10-02 17:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    What is your favourite meta-syntactic variable name?














    Results (66 votes), past polls