Bug 26386

Summary: Template-Toolkit 2.28 doesn't work correctly with perl 5.26 or newer
Product: Mageia Reporter: Frédéric "LpSolit" Buclin <LpSolit>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, tarazed25, thierry.vignaud
Version: 7Keywords: advisory, validated_update
Target Milestone: Mageia 7   
Hardware: All   
OS: Linux   
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=1625554
Whiteboard: MGA7-64-OK
Source RPM: perl-Template-Toolkit-2.280.0-1.mga7.src.rpm CVE:
Status comment:
Attachments: Fix taint issue in Template/Provider.pm

Description Frédéric "LpSolit" Buclin 2020-03-28 13:20:02 CET 
Created attachment 11566 [details]
Fix taint issue in Template/Provider.pm

As reported upstream [1] (and first discovered by the GCC team [2]), Bugzilla doesn't work correctly when used with the 2.x version of Template-Toolkit on newer versions of perl (2.26 and newer). Upgrading to version 3.000 or higher fixes the problem. As reported on github [3], TT 3 has a taint issue, and so a trivial fix is needed to stop filling the web server log. I attached a patch which fixes the problem.


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1625554
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94349
[3] https://github.com/abw/Template2/issues/258
David Walser 2020-03-28 16:04:11 CET

Assignee: bugsquad => shlomif
CC: (none) => thierry.vignaud

Comment 1 Frédéric "LpSolit" Buclin 2020-03-31 12:34:50 CEST 
I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for that! Meanwhile, 3.008 has been released which fixes this taint issue, and it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so that we don't need our own hack anymore?
Comment 2 Shlomi Fish 2020-03-31 14:39:18 CEST 
(In reply to Frédéric "LpSolit" Buclin from comment #1)
> I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for
> that! Meanwhile, 3.008 has been released which fixes this taint issue, and
> it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so
> that we don't need our own hack anymore?

built 3.008 for 7/updates-testing, thanks! http://pkgsubmit.mageia.org/ .
Comment 3 Shlomi Fish 2020-07-01 17:59:14 CEST 
(In reply to Shlomi Fish from comment #2)
> (In reply to Frédéric "LpSolit" Buclin from comment #1)
> > I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for
> > that! Meanwhile, 3.008 has been released which fixes this taint issue, and
> > it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so
> > that we don't need our own hack anymore?
> 
> built 3.008 for 7/updates-testing, thanks! http://pkgsubmit.mageia.org/ .

Assigning to QA. Note that there are reverse deps to test using:

```
#! /bin/bash
#
# test.bash
#
# derived from https://github.com/metacpan/metacpan-api/blob/master/docs/API-docs.md
# Shlomi Fish puts his changes under CC-Zero.
#



curl -XPOST https://fastapi.metacpan.org/v1/release/_search -d '{
  "size": 5000,
  "fields": [ "distribution" ],
  "filter": {
    "and": [
      { "term": { "dependency.module": "Template" } },
      { "term": {"maturity": "released"} },
      { "term": {"status": "latest"} }
    ]
  }
}'
```

Assignee: shlomif => qa-bugs

Comment 4 Herman Viaene 2020-07-03 11:14:39 CEST 
Found perl-Template-Toolkit 3.8.0 on the updates testing, installed it with no apparent setbacks when installing a few extra packages for Libreoffice.
Is that what this is all about???

CC: (none) => herman.viaene

Comment 5 Frédéric "LpSolit" Buclin 2020-07-03 21:29:40 CEST 
Tested on Mageia 7 with Bugzilla 5.0.4 and 5.1.2. Problem fixed.
Comment 6 Len Lawrence 2020-07-15 21:10:20 CEST 
Looks like this should be cleared.  Adding the OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-07-15 22:56:39 CEST 
Validating. Some advisory information in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2020-07-31 11:48:48 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-08-01 01:27:16 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2020-0157.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED