Bug 4182

Summary: perl new security issues CVE-2011-2939 and CVE-2011-3597
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, fundawang, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: perl-5.12.3-4.mga1.src.rpm CVE:
Status comment:
Attachments: Test script for CVE-2011-3597

Description David Walser 2012-01-18 17:18:11 CET 
Mandriva issued this advisory today (January 18):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:008

MDV 2011 has the same version of Perl as Mageia 1 and their update includes patches for these issues.

We also have an update candidate in updates_testing with fixes for CVE-2011-3507 and CVE-2011-2939, but there doesn't appear to have been a bug filed for it yet.
David Walser 2012-01-18 17:18:37 CET

CC: (none) => fundawang

Comment 1 David Walser 2012-01-18 17:25:26 CET 
It appears the update candidate addresses the issues for this bug, and the 3507 in the changelog is a typo.  (3507 is for oracle sun products suite, 3597 is for perl).  Hopefully it can be re-built fixing the changelog.  Other than that it is ready for testing pending confirmation from Funda Wang who built it.
Comment 2 Funda Wang 2012-01-18 17:52:26 CET 
Yes, I've updated the patch name. Pleas test it.

And, for CVE-2011-3597, please update perl-Digest-1.160.0-2.1.mga1.noarch.rpm also.
D Morgan 2012-01-22 19:56:16 CET

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 3 claire robinson 2012-01-24 19:09:14 CET 
Funda can you supply an update advisory please. Thanks.
Comment 4 Dave Hodgins 2012-01-24 22:36:59 CET 
Created attachment 1425 [details]
Test script for CVE-2011-3597

Script from https://rt.cpan.org/Public/Bug/Display.html?id=71390#txn-983600

Before updating ...
./test.py
I own you
Can't locate object method "new" via package "Digest::MD5;print qq[I own you\n]" at /usr/lib/perl5/5.12.3/Digest.pm line 44.

After updating ...
./test.py
Can't locate Digest/MD5;print qq[I own you\n].pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.12.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.12.3 /usr/lib/perl5/vendor_perl/5.12.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.12.3 /usr/lib/perl5/5.12.3/i386-linux-thread-multi /usr/lib/perl5/5.12.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.12.2 /usr/lib/perl5/vendor_perl/5.12.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl .) at /usr/lib/perl5/vendor_perl/5.12.3/Digest.pm line 40

Testing of the digest complete on i586.
Dave Hodgins 2012-01-24 22:37:37 CET

Attachment 1425 mime type: application/octet-stream => text/plain

Comment 5 David Walser 2012-01-25 15:39:41 CET 
Advisory:
========================

Updated perl packages fix security vulnerabilities:

Off-by-one error in the decode_xs function in Unicode/Unicode.xs
in the Encode module before 2.44, as used in Perl before 5.15.6,
might allow context-dependent attackers to cause a denial of service
(memory corruption) via a crafted Unicode string, which triggers a
heap-based buffer overflow (CVE-2011-2939).

Eval injection in the Digest module before 1.17 for Perl allows
context-dependent attackers to execute arbitrary commands via the
new constructor (CVE-2011-3597).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:008
========================

Updated packages in core/updates_testing:
========================
perl-5.12.3-4.2.mga1
perl-Digest-1.160.0-2.1.mga1
perl-base-5.12.3-4.2.mga1
perl-devel-5.12.3-4.2.mga1
perl-doc-5.12.3-4.2.mga1

from SRPMS:
perl-5.12.3-4.2.mga1.src.rpm
perl-Digest-1.160.0-2.1.mga1.src.rpm
Comment 6 Dave Hodgins 2012-01-28 03:52:48 CET 
We still need confirmation of testing on x86-64 for this security update.

CC: (none) => davidwhodgins

Comment 7 claire robinson 2012-01-28 12:21:17 CET 
Testing complete x86_64 with script from comment 4 and rpmdrake.

There are other perl SRPM's in updates_testing, are they part of this update or just missing bug reports?

Update validated.

Please see comment 5 for advisory & srpm's.


Could sysadmin please push to update, thankyou!  Maybe wait for confirmation of srpm's before pushing, but this is a security update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 8 David Walser 2012-01-28 12:37:15 CET 
I can confirm that the other perl packages are not related to this.

perl-Gtk2-MozEmbed says "Rebuild against New xulrunner" from dmorgan.  It looks like it should have been pushed with last xulrunner/firefox update.

perl-PAR says "add upstream patch to fix CVE-2011-5060" from Funda Wang.

perl-PAR-Packer says "add upstream patch to fix CVE-2011-4114" from Funda Wang.
Comment 9 claire robinson 2012-01-28 12:57:54 CET 
Thanks David :)
Comment 10 David Walser 2012-01-28 12:58:42 CET 
Bug 4313 filed for perl PAR module issues.
Comment 11 Thomas Backlund 2012-01-28 17:18:54 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED