Bug 33029

Summary:	perl-Data-UUID new security issue CVE-2013-4184
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, herman.viaene, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	perl-Data-UUID-1.226.0-5.mga9.src.rpm	CVE:	CVE-2013-4184
Status comment:

Description Nicolas Salguero 2024-03-29 11:09:12 CET

Fedora has issued an advisory on March 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATNG5VP46SXJB2JHAI2LXPUXCYUOYPE/

Nicolas Salguero 2024-03-29 11:09:49 CET

Source RPM: (none) => perl-Data-UUID-1.226.0-5.mga9.src.rpm
CVE: (none) => CVE-2013-4184
Status comment: (none) => Fixed upstream in 1.227

Comment 1 Lewis Smith 2024-03-31 21:16:47 CEST

Thierry has just put 1.227 in Cauldron; assigning to you for M9.

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Salguero 2024-04-03 15:21:52 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Perl module Data::UUID from CPAN version 1.219 vulnerable to symlink attacks. (CVE-2013-4184)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATNG5VP46SXJB2JHAI2LXPUXCYUOYPE/
========================

Updated package in core/updates_testing:
========================
perl-Data-UUID-1.227.0-1.mga9

from SRPM:
perl-Data-UUID-1.227.0-1.mga9.src.rpm

Status comment: Fixed upstream in 1.227 => (none)
Assignee: thierry.vignaud => qa-bugs
Status: NEW => ASSIGNED

katnatek 2024-04-03 19:38:52 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-04-08 17:35:40 CEST

MGA9-64 Plasma Wayland on HP-Pavillion.
No installation issues.
No previous updates, so
# urpmq --whatrequires perl-Data-UUID
gscan2pdf
gscan2pdf
perl-CHI
perl-DBIx-Class-UUIDColumns
perl-Data-GUID
and some more, so installed gscan2pdf and the sane stuff (gscan2pdf does not work without the latter)
and run
$ strace -o perluuid.txt gscan2pdf 
scan a page and check the trace file and I find a number of:
newfstatat(AT_FDCWD, "/usr/local/lib64/perl5/5.36/Data/UUID.pmc", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/lib64/perl5/5.36/Data/UUID.pm", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/share/perl5/5.36/Data/UUID.pmc", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/share/perl5/5.36/Data/UUID.pm", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib64/perl5/vendor_perl/Data/UUID.pmc", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
Should be enough as demo of wrking OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2024-04-08 19:36:25 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-04-10 06:04:50 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0117.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED