| Summary: | perl-Cpanel-JSON-XS new security issue fixed upstream in 4.34 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | perl-Cpanel-JSON-XS-4.250.0-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-03-14 02:05:02 CET
David Walser
2023-03-14 02:05:15 CET
Status comment:
(none) =>
Fixed upstream in 4.34 Cauldron already has 4.34, but note Luigi's remark about 4.35. Assigning to tv who did the 4.34 (& earlier) update[s). Assignee:
bugsquad =>
thierry.vignaud Suggested advisory: ======================== The updated package fixes some bugs including a security vulnerability: Decoding hash keys without ending ':'. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSD3O3LQSW7QZLM33RFCIW3TFNXLB7QD/ ======================== Updated package in core/updates_testing: ======================== perl-Cpanel-JSON-XS-4.350.0-1.mga8 from SRPM: perl-Cpanel-JSON-XS-4.350.0-1.mga8.src.rpm CC:
(none) =>
nicolas.salguero Note that this is still pending a freeze move in Cauldron. Mageia8, x86_64
$ urpmq --whatrequires perl-Cpanel-JSON-XS
perl-App-SerializeUtils
perl-Cpanel-JSON-XS
perl-Search-Elasticsearch
There is also a user tool cpanel_json_xs.
cpanel_json_xs [-v] [-f inputformat] [-t outputformat]
Picked a configuration file at random from Stellarium data:
$ cpanel_json_xs <defaultStarsConfig.json >testfile
The conversion was effected but as is usual with JSON data you have to look closely in some places to see it.
$ cat defaultStarsConfig.json
{
"version": 12,
"hipSpectralFile": "stars_hip_sp_0v0_4.cat",
[...]
"url": "https://github.com/Stellarium/stellarium-data/releases/download/stars-2.0/stars_8_2v0_1.cat",
"checksum": "9e2e362022824c60d7e4d94ef8c3af12",
"checked": false
}
]
}
$ cat testfile
{
"catalogs" : [
{
"checked" : true,
"checksum" : "f29bcdca4ef0e945988ff609f7fa9e6a",
[...]
"sizeMb" : 534,
"url" : "https://github.com/Stellarium/stellarium-data/releases/download/stars-2.0/stars_8_2v0_1.cat"
}
],
"hipComponentsIdsFile" : "stars_hip_cids_0v0_0.cat",
"hipSpectralFile" : "stars_hip_sp_0v0_4.cat",
"version" : 12
}
Updated from version 4.250.
Removed testfile and ran the same command.
testfile looked identical to the earlier one.
A bit late in the day tested the security issue by removing two of the : characters from hash keys in the firstwo stanzas of the catalog section.
{
"id": "stars0",
"fileName": "stars_0_0v0_8.cat",
-> "count" 0.005,
"magRange": [-2, 6],
"sizeMb": 0.1,
"checksum": "f29bcdca4ef0e945988ff609f7fa9e6a",
"checked": true
},
{
"id": "stars1",
"fileName": "stars_1_0v0_8.cat",
"count": 0.022,
-> "magRange" [6, 7.5],
"sizeMb": 0.6,
"checksum": "cdffa5b38b1de9eb53272176921861d2",
"checked": true
},
Running the command again produced an error.
$ cpanel_json_xs <defaultStarsConfig.json >testfile2
':' expected, at character offset 203 (before "0.005,\n\t\t\t"magRa...") at /usr/bin/cpanel_json_xs line 219, <STDIN> line 1.
Giving this an OK.Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-03-29 15:39:17 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0119.html Status:
ASSIGNED =>
RESOLVED |