| Summary: | perl-Catalyst-Plugin-Static-Simple new security issue CVE-2017-16248 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, marja11, shlomif, smelror, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | perl-Catalyst-Plugin-Static-Simple-0.330.0-3.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-11-17 17:56:15 CET
David Walser
2017-11-17 17:56:22 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to the registered perl-Catalyst-Plugin-Static-Simple maintainer. Assignee:
bugsquad =>
shlomif Hi. Updated RPMs pushed to updates_testing for MGA5 and MGA6. perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5 perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6 CC:
(none) =>
smelror Advisory: ======================== Updated perl-Catalyst-Plugin-Static-Simple package fixes security vulnerability: The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a '.' character anywhere in the pathname, which differs from the intended policy of allowing access only when the filename itself has a '.' character (CVE-2017-16248). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16248 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQDGCD7A4CTB5OSIWPDU522DPCUK6W6P/ ======================== Updated packages in core/updates_testing: ======================== perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5 perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6 from SRPMS: perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5.src.rpm perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6.src.rpm CC:
(none) =>
shlomif Looking at M6/64
$ urpmq --whatrequires-recursive perl-Catalyst-Plugin-Static-Simple
mga-mirrors "Mageia Mirrors management"
+ various perl-somethings.
mga-mirrors (I was surprised to have to install it, pulled in >60 pkgs) includes the following programs (+ a few backends):
/usr/bin/check_mirror [No man page or -h help]
/usr/bin/mga_mirrors_server.pl Catalyst Testserver
/usr/bin/mga_mirrors_test.pl Catalyst Test
/var/www/cgi-bin/mga_mirrors_cgi.pl
/usr/share/doc/mga-mirrors/README [from 2011] says just:
"Run script/mga_mirrors_server.pl to test the application."
$ mga_mirrors_server.pl
You are loading Catalyst::Engine::HTTP explicitly.
This is almost certainly a bad idea, as Catalyst::Engine::HTTP
has been removed in this version of Catalyst.
Please update your application's scripts with:
catalyst.pl -force -scripts MyApp
to update your scripts to not do this.
Failed to open /etc/mga-mirrors.ini: Permission denied at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 18.
Couldn't instantiate component "MGA::Mirrors::Model::Mirrors", "Can't bless non-reference value at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/Model/Mirrors.pm line 28."Compilation failed in require at /usr/bin/mga_mirrors_server.pl line 66.
$ mga_mirrors_test.pl
Failed to open /etc/mga-mirrors.ini: Permission denied at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 18.
Couldn't instantiate component "MGA::Mirrors::Model::Mirrors", "Can't bless non-reference value at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Test.pm line 155.
BEGIN failed--compilation aborted at /usr/bin/mga_mirrors_test.pl line 9.
# check_mirror
DBI connect('host=pgsql;dbname=mirrors','mirrors',...) failed: could not translate host name "pgsql" to address: Name or service not known at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 51.
Can't call method "prepare" on an undefined value at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 225.
Where this got "pgsql" [Postgres] from...
Clearly we need some advice to try this path; unless there is another.
---------------------------------------------------------------------
The actual bug is clear enough:
"The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a '.' character anywhere in the pathname, which differs from the intended policy of allowing access only when the filename itself has a '.' character."
and the one-line correction to lib/Catalyst/Plugin/Static/Simple.pm in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880458
- if ( $path =~ /.*\.(\S{1,})$/xms ) {
+ if ( $path =~ /\.([^\/\\]+)$/m ) {
explained:
"instead of matching one or more non-space characters between a
dot (including "/") and the end of the path, match one or more characters
different from "/" and "\" between a dot and the end of the path."
I would be prepared to let this out just on this basis if we can show this change is in the update.CC:
(none) =>
lewyssmith Another go M6/64
# mga_mirrors_test.pl [better]
MGA::Mirrors::View::GraphViz is using the deprecated Catalyst::Base, update your application as this will be removed in the next major release at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Base.pm line 7.
Usage:
mga_mirrors_test.pl [options] uri
Examples:
mga_mirrors_test.pl http://localhost/some_action
mga_mirrors_test.pl /some_action
See also:
perldoc Catalyst::Manual
perldoc Catalyst::Manual::Intro
# mga_mirrors_server.pl [similar to above]
You are loading Catalyst::Engine::HTTP explicitly.
This is almost certainly a bad idea, as Catalyst::Engine::HTTP
has been removed in this version of Catalyst.
Please update your application's scripts with:
catalyst.pl -force -scripts MyApp
to update your scripts to not do this.
MGA::Mirrors::View::GraphViz is using the deprecated Catalyst::Base, update your application as this will be removed in the next major release at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Base.pm line 7.
failed to listen to port 8080: Address already in use at /usr/lib/perl5/vendor_perl/5.22.2/HTTP/Server/PSGI.pm line 94.
Testing M6/64 empirically
Since the correction is Perl semantic, I tried the change independantly. It should show its efficacity anyway.
BEFORE the regular expression update:
$ perl -e '$x = "dir.name/file.sfx"; if ($x =~ /.*\.(\S{1,})$/xms) {print $& };'
dir.name/file.sfx
Shows the error (suffix taken as the entire pathname).
AFTER the regular expression update:
$ perl -e '$x = "dir.name/file.sfx"; if ($x =~ /\.([^\/\\]+)$/m) {print $& };'
.sfx
Shows the correct result (suffix only).
After applying the update, the results were (of course) the same.
> I would be prepared to let this out just on this basis if we can show this
> change is in the update.
Seconded.
Lewis Smith
2017-11-25 20:43:47 CET
Keywords:
(none) =>
advisory MGA5-32 on Dell Latitude D600 Xfce No installation issues. I haven't a clue what those commands are about in Comment 6. Do those commands go on one line? Whatever I try, all I get is a ">" prompt. CC:
(none) =>
herman.viaene @Lewis, re comment 6. Great sideways thinking man. I had looked at this offline some time ago but got nowhere. Your suggestion is what Claire recommended on another bug - diff the source code to see that the patch had been applied. Cannot remember how but it probably requires a git checkout of the relevant sources for a start. Not going to be around today but shall chase it up tomorrow. CC:
(none) =>
tarazed25 @Herman re comment 7. The commands do work. It helps to stretch the width of your terminal to accommodate the whole string. The commands are simply running a line of perl code using the -e switch. If you copy the inline commands to a file it still works: test.pl contains the second example from comment 6. $x = "dir.name/file.sfx"; if ($x =~ /\.([^\/\\]+)$/m) {print $& }; $ perl test.pl .sfx$ I got confused, I suspected the commands in Comment 6 had an overflow to the next line. But I can confirm they work as explained above. @Lewis If you decide that your 64 testing is OK, please then fill the OK for 32 as well. @Lewis. re comment 6. Correction, Claire passed on some advice in a thread on QAD. You click the RPM field on madb against the particular update which takes you to a page where you can select the relevant source RPM and click on [diff] which should display the changes between pre and post updates. It does not work very well in practice at the moment - just goes into an endless "connecting" loop. The server must be busy. It connected eventually and output a couple of lines. One was something about a unified diff but displayed nothing. Not sure what to make of that. I have asked Claire to take a look. Watch out, update! Since http://madb.mageia.org/rpm/diff/application/0/name/perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5.noarch.rpm/source/0/release/5/arch/i586/t_media/5 is not responding, I downloaded both of the srpms. Installed the first one, renamed /root/rpmbuild to /root/rpmbuild320. Installed the first one, renamed /root/rpmbuild to /root/rpmbuild340. Expanded the two source files with tar -xf, then used kdiff3 to compare the files from both srpms. Confirmed the expected change is in lib/Catalyst/Plugin/Static/Simple.pm Repeated for Mageia 6, with 330 for the release version. Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0439.html Resolution:
(none) =>
FIXED |