Bug 11146

Summary: perl-Module-Metadata new security issue CVE-2013-1437
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jquelin, mageia, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/565572/
Whiteboard: has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM: perl-Module-Metadata-1.0.11-4.1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-09-04 02:22:41 CEST 
Fedora has issued an advisory on August 22:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114912.html

I believe the issue is fixed upstream in 1.0.15.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-04 02:22:54 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 Sander Lepik 2013-09-24 14:06:05 CEST 
I have uploaded patched packages for Mageia 2 and 3.

1. Install perl-Module-Metadata
2. Run this command: man Module::Metadata
3. Check the DESCRIPTION (Should be this: "This module provides a standard way to gather metadata about a .pm file without executing unsafe code.")
4. Update perl-Module-Metadata from updates_testing
5. Repeat step #2 and check DESCRIPTION again. (This time it should say something like this: "This module provides a standard way to gather metadata about a .pm file through (mostly) static analysis and (some) code execution.  When determining the version of a module, the $VERSION assignment is "eval"ed, as is traditional in the CPAN toolchain.")

Suggested advisory:
========================

This update clarifies the module's documentation about the code it executes, i.e. it does "eval" a module to determine its version number. Previously it said that it did not execute unsafe code.

References:
http://lwn.net/Vulnerabilities/565572/
========================

Updated packages in core/updates_testing:
========================
perl-Module-Metadata-1.0.9-1.1.mga2
perl-Module-Metadata-1.0.11-4.1.mga3

Source RPMs:
perl-Module-Metadata-1.0.9-1.1.mga2.src.rpm
perl-Module-Metadata-1.0.11-4.1.mga3.src.rpm

CC: (none) => mageia
Hardware: i586 => All
Version: Cauldron => 3
Assignee: jquelin => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO has_procedure

Comment 2 David Walser 2013-09-24 14:20:59 CEST 
Thanks Sander!

Just making minor formatting changes to the advisory.

Suggested advisory:
========================

This update clarifies the module's documentation about the code it executes,
i.e. it does "eval" a module to determine its version number. Previously it
said that it did not execute unsafe code (CVE-2013-1437).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1437
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114912.html
========================

Updated packages in core/updates_testing:
========================
perl-Module-Metadata-1.0.9-1.1.mga2
perl-Module-Metadata-1.0.11-4.1.mga3

Source RPMs:
perl-Module-Metadata-1.0.9-1.1.mga2.src.rpm
perl-Module-Metadata-1.0.11-4.1.mga3.src.rpm
Comment 3 claire robinson 2013-09-24 16:00:30 CEST 
Testing mga3 64

Module::Metadata appears to be provided by perl package aswell as 
perl-Module-Metadata.

Testing with this script..

 use Module::Metadata;

  my $file = '/usr/lib/perl5/vendor_perl/5.16.2/Config/IniFiles.pm';

  # information about a .pm file
  my $info = Module::Metadata->new_from_file( $file );
  my $version = $info->version;

  # CPAN META 'provides' field for .pm files in a directory
  my $provides = Module::Metadata->provides(
    dir => 'lib', version => 2
  );

  print "$version\n";
  print "$provides\n";

Just spits out a version number and a hash, don't laugh at my perl skillz. It does so though even without perl-Module-Metadata being installed.

$ urpmq --whatprovides 'perl(Module::Metadata)'
perl-Module-Metadata|perl-Module-Metadata|perl

# urpmq --provides perl | grep Metadata
perl(Module::Metadata)[== 1.0.9]

It also appears to be providing the mga2 version in mga3. It looks like this will need to be updated too in order to close the CVE.

# urpme perl-Module-Metadata
removing perl-Module-Metadata-1.0.11-4.mga3.noarch
removing package perl-Module-Metadata-1.0.11-4.mga3.noarch
      1/1: removing perl-Module-Metadata-1.0.11-4.mga3.noarch
                                 
# man Module::Metadata

DESCRIPTION
       This module provides a standard way to gather metadata about a .pm file without executing unsafe code.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure feedback

Comment 4 claire robinson 2013-10-03 15:46:18 CEST 
Assigning back to you David, not sure how best to handle this one. It is just updated man pages so might not be worthy of a perl update, but it does seem to need one to close the CVE.

CC: (none) => qa-bugs
Assignee: qa-bugs => luigiwalser

Comment 5 David Walser 2013-10-03 15:56:08 CEST 
Wrong assignee.

Assignee: luigiwalser => jquelin

Comment 6 David Walser 2013-11-22 16:12:13 CET 
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Whiteboard: MGA2TOO has_procedure feedback => has_procedure feedback

Comment 7 Jerome Quelin 2014-02-24 09:50:37 CET 
Sorry for the time to answer - real life kicked in quite hard.

I strongly oppose to doing a perl update to mageia 3 just to change a bit of documentation in a module.

Rationale:
1- perl is a critical package, and I prefer limiting its update in mageia releases to the strict minimum
2- even more because qa is overwhelmed, and I'd rather not pile an uneeded update onto them
3- Module::Metadata is a very obscure package, that is not really used a lot (evn *I* didn't know about it before this bug report)
4- if you decide to use this module, most of the time you'll do on a safe module (that is, even eval-ing it won't cause any damage). Only modules crafted to abuse the eval-ing will be a problem, and those modules aren't legion (because of 3 above)
5- if you really care about security of a given module, you won't trust its documentation, but check the code before using it
6- finally, assigning a CVE to reword documentation is overkill to me

Therefore, I propose to clsoe this bug as resolved/wontfix unless you provide me with very good reasons.

Note: cauldron and mageia 4 have an updated Module::Metadata (even the one shipped with core perl).

Keywords: (none) => NEEDINFO
CC: (none) => jquelin

Comment 8 David Walser 2014-02-24 13:40:33 CET 
Given Jerome's feedback, we can just update the external module (as it's already packaged) and say it's wontfix for perl itself.  Advisory in Comment 2 (minus the Mageia 2 package of course).

Keywords: NEEDINFO => (none)
CC: qa-bugs => (none)
Assignee: jquelin => qa-bugs
Whiteboard: has_procedure feedback => has_procedure

Comment 9 claire robinson 2014-02-24 17:03:14 CET 
Testing complete mga3 32 & 64

Source RPM: perl-Module-Metadata-1.0.14-1.mga4.src.rpm => perl-Module-Metadata-1.0.11-4.1.mga3.src.rpm
Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok

Comment 10 claire robinson 2014-02-24 17:11:37 CET 
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2014-02-25 23:18:36 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0093.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED