| Summary: | perl-Plack new security issue CVE-2014-5269 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | jquelin, mageia, olchal, qa-bugs, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/609960/ | ||
| Whiteboard: | MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK advisory | ||
| Source RPM: | perl-Plack-1.3.0-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-08-29 17:44:04 CEST
David Walser
2014-08-29 17:44:19 CEST
CC:
(none) =>
mageia Fixed in cauldron (awaiting freeze push exemption). I've updated to latest version in mga3 & mga4, since the patch doesn't apply cleanly due to the old version (web frameworks are a rapid moving target). Submitted packages in core/updates_testing : - perl-Plack-1.3.100-1.mga3 - perl-Plack-1.3.100-1.mga4 ==> this fails, since they require more recent versions of other perl modules (Apache::LogFormat::Compiler, File::ShareDir::Install)... What do you recommend? Update those deps also, struggle to try to apply the patch (but I won't have the time to do it quickly), other? CC:
(none) =>
jquelin If you're asking QA whether we'd prefer you to create more work for us or for yourself, then the answer is likely going to be the latter ;) Actually it is policy though to patch where practical Jerome, this being one of the reasons behind the policy. https://wiki.mageia.org/en/Updates_policy I'm adding the feedback marker for now until there is something here for us to test. Version:
Cauldron =>
4 Jerome, if updating the perl modules wouldn't hurt anything (as is usually the case), that would be fine. Ultimately, whichever solution is easier for you is best.
David Walser
2014-10-02 14:49:39 CEST
CC:
(none) =>
qa-bugs I have uploaded a patched packages for Mageia 3 and 4. I'm not sure how to test it as there is no know POC. What I did is that I first patched in the added test and checked that the build failed. I then patched also the fix and now the build was successful. Suggested advisory: ======================== Updated perl-Plack package fixes the following security issue: - Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (avar) #446 Upstream fix: https://github.com/avar/Plack/commit/bc1731dbb53850c380875ad683cd87c8ec99eee3 References: https://github.com/plack/Plack/issues/405 http://seclists.org/oss-sec/2014/q3/345 ======================== Updated packages in core/updates_testing: ======================== perl-Plack-1.1.400-2.1.mga3.noarch perl-Plack-1.2.900-2.1.mga4.noarch Source RPMs: perl-Plack-1.1.400-2.1.mga3.src.rpm perl-Plack-1.2.900-2.1.mga4.src.rpm Hardware:
i586 =>
All Thanks for the details Sander! Given what you said about the testcase, the QA team shouldn't have to do more than test installing it. I would write the advisory as follows. Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (CVE-2014-5269). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5269 https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137115.html
Testing on Mageia4-64 real HW
With current package :
--------------------
perl-Plack-1.2.900-2.mga4.noarch
Tested with simple perl plack script found on the web :
#!/usr/bin/perl
use strict;
use warnings;
my $app = sub {
return [
'200',
[ 'Content-Type' => 'text/html' ],
[ scalar localtime ],
];
};
Saved as testplack.psgi
In terminal,
$ plackup testplack.psgi
in browser, went to : http://localhost:5000/
Page displayed current time which I could update by reloading the page.
Ctrl-C in terminal to stop.
Update to testing package :
-------------------------
perl-Plack-1.2.900-2.1.mga4.noarch
Installation OK, could run same script.
All OKCC:
(none) =>
olchal Well done Olivier Testing complete mga3 32 using this procedure. Whiteboard:
MGA3TOO MGA4-64-OK =>
MGA3TOO has_procedure mga3-32-ok MGA4-64-OK Tested on Mageia3-64 real hardware Current package : - perl-Plack-1.1.400-2.mga3.noarch Update testing package : - perl-Plack-1.1.400-2.1.mga3.noarch All OK Whiteboard:
MGA3TOO has_procedure mga3-32-ok MGA4-64-OK =>
MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK Validating, advisory uploaded. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0486.html Status:
NEW =>
RESOLVED |