Bug 29878

Summary: perl-CPAN new security issue CVE-2020-16156
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: perl-CPAN-2.280.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-01-12 15:49:37 CET 
Fedora has issued an advisory today (January 12):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/

The issue is fixed upstream in 2.29.
David Walser 2022-01-12 15:49:51 CET

Status comment: (none) => Fixed upstream in 2.29

Comment 1 Nicolas Lécureuil 2022-01-12 22:42:05 CET 
New version pushed in mga8:

src:
    - perl-CPAN-2.290.0-1.mga8

Assignee: thierry.vignaud => qa-bugs
Status comment: Fixed upstream in 2.29 => (none)
CC: (none) => mageia

Comment 2 Herman Viaene 2022-01-13 15:11:51 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No previous update on this so, ventured into its command

$ cpan-2.29 
Sorry, we have to rerun the configuration dialog for CPAN.pm due to
some missing parameters. Configuration will be written to
 <</home/tester8/.local/share/.XCPANCONFIGNAMEX/CPAN/MyConfig.pm>>


CPAN.pm requires configuration, but most of it can be done automatically.
If you answer 'no' below, you will enter an interactive dialog for each
configuration option instead.

Would you like to configure as much as possible automatically? [yes] 

Perl site library directory "/usr/local/share/perl5/5.32" does not exist.
Perl site library directory "/usr/local/share/perl5/5.32" could not been created: .
Perl site library directory "/usr/local/lib64/perl5/5.32" does not exist.
Perl site library directory "/usr/local/lib64/perl5/5.32" could not been created: .
 <install_help>

Warning: You do not have write permission for Perl library directories.

To install modules, you need to configure a local Perl library directory or
escalate your privileges.  CPAN can help you by bootstrapping the local::lib
module or by configuring itself to use 'sudo' (if available).  You may also
resolve this problem manually if you need to customize your setup.

What approach do you want?  (Choose 'local::lib', 'sudo' or 'manual')
 [local::lib] 

We initialized your 'urllist' to https://cpan.org/. Type 'o conf init urllist' to change it.

Autoconfiguration complete.

Attempting to bootstrap local::lib...

Writing /home/tester8/.local/share/.XCPANCONFIGNAMEX/CPAN/MyConfig.pm for bootstrap...
commit: wrote '/home/tester8/.local/share/.XCPANCONFIGNAMEX/CPAN/MyConfig.pm'
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
Reading '/home/tester8/.local/share/.XCPANCONFIGNAMEX/sources/authors/01mailrc.txt.gz'
............................................................................DONE
Fetching with HTTP::Tiny:
and load more feched...... then
local::lib is installed. You must now add the following environment variables
to your shell configuration files (or registry, if you are on Windows) and
then restart your command line shell and CPAN before installing modules:

PATH="/home/tester8/perl5/bin${PATH:+:${PATH}}"; export PATH;
PERL5LIB="/home/tester8/perl5/lib/perl5${PERL5LIB:+:${PERL5LIB}}"; export PERL5LIB;
PERL_LOCAL_LIB_ROOT="/home/tester8/perl5${PERL_LOCAL_LIB_ROOT:+:${PERL_LOCAL_LIB_ROOT}}"; export PERL_LOCAL_LIB_ROOT;
PERL_MB_OPT="--install_base \"/home/tester8/perl5\""; export PERL_MB_OPT;
PERL_MM_OPT="INSTALL_BASE=/home/tester8/perl5"; export PERL_MM_OPT;

Would you like me to append that to /home/tester8/.bashrc now? [yes] no


commit: wrote '/home/tester8/.local/share/.XCPANCONFIGNAMEX/CPAN/MyConfig.pm'

You can re-run configuration any time with 'o conf init' in the CPAN shell
Terminal does not support AddHistory.

To fix that, maybe try>  install Term::ReadLine::Perl


cpan shell -- CPAN exploration and modules installation (v2.29)
Enter 'h' for help.

cpan[1]> h

Display Information                                                  (ver 2.29)
 command  argument          description
 a,b,d,m  WORD or /REGEXP/  about authors, bundles, distributions, modules
 i        WORD or /REGEXP/  about any of the above
 ls       AUTHOR or GLOB    about files in the author's directory
    (with WORD being a module, bundle or author name or a distribution
    name of the form AUTHOR/DISTRIBUTION)

Download, Test, Make, Install...
 get      download                     clean    make clean
 make     make (implies get)           look     open subshell in dist directory
 test     make test (implies make)     readme   display these README files
 install  make install (implies test)  perldoc  display POD documentati
and more ......
Went no further since not really knowing what to expect.
OK'ing unless someone else has a better idea

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-01-13 21:21:43 CET 
Looks like it's working to me, Herman. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-01-14 22:28:30 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-01-15 09:11:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0018.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED