[RADIATOR] issue with 4.8 (+ patches) with setuid

Heikki Vatiainen hvn at open.com.au
Wed Jun 22 10:31:03 CDT 2011


On 06/20/2011 08:56 PM, Alan Buxey wrote:

> got this error:
> 
> Insecure dependency in eval while running setuid at /usr/local/lib/perl5/site_perl/5.12.2/Radius/Configurable.pm line 73
> 
> checked that Configurable.pm file and it appears to be doing a nice
> eval on the $_[2] parameter - this could be used by a cracker if its
> not checked/sanitized....

Seems to be the part where the config parser processes Hooks. $_[2] is
the value for the currently processed *Hook keyword.

> now, its not compltely clear where this unchecked string is coming from
> so therefore still not sure if this could ever be a 'safe value' that couldnt
> be corrupted by someone wanting to get extra access or mess around..
> however, currently sidestepped by defining a local variable to $_[2]
> and using that in the call on line 73 .... is there a cleaner/safer
> way to operate this - I dont recall this being around in 4.7

The code for Configurable.pm seems to be identical for the two versions
so maybe perl is now more strict with these.

I added a note for this to things to check for the next version.

Thanks!

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list