Bug 8253

Summary: perl new security issue CVE-2012-5195
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, jquelin, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/527725/
Whiteboard: has_procedure mga2-64-OK MGA2-32-OK
Source RPM: perl-5.16.2-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2012-11-30 17:33:57 CET 
Ubuntu has issued an advisory on November 29:
http://www.ubuntu.com/usn/usn-1643-1/

It's not clear which versions are affected, but Ubuntu has a link to the upstream patch and also notes that the Debian bug has a reproducer:
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5195.html

The other CVEs in the advisory include the perl-CGI vulnerability that we just fixed, as well as low severity vulnerabilities in perl-Digest and perl-Encode that only impact Mageia 1 (they were fixed upstream in the versions we have in Mageia 2).
David Walser 2012-11-30 17:34:23 CET

Whiteboard: (none) => MGA2TOO, MGA1TOO

David Walser 2012-11-30 20:16:31 CET

URL: (none) => http://lwn.net/Vulnerabilities/527725/

Comment 1 Jerome Quelin 2012-12-03 10:21:57 CET 
mageia 1 no longer supported.

Whiteboard: MGA2TOO, MGA1TOO => MGA2TOO

Comment 2 Jerome Quelin 2012-12-03 12:48:29 CET 
doesn't affect perl 5.16, so cauldron is safe.

CC: (none) => jquelin
Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 3 Jerome Quelin 2012-12-03 13:11:29 CET 
fixed in perl-5.14.2-8.mga2, currently being built.
qa: please validate & push to updates.

Assignee: jquelin => qa-bugs

Comment 4 David Walser 2012-12-03 15:31:10 CET 
Thanks Jerome!

Advisory:
========================

Updated perl packages fix security vulnerability:

It was discovered that Perl's 'x' string repeat operator is vulnerable to a
heap-based buffer overflow. An attacker could use this to execute arbitrary
code (CVE-2012-5195).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5195
http://www.ubuntu.com/usn/usn-1643-1/
========================

Updated packages in core/updates_testing:
========================
perl-5.14.2-8.mga2
perl-base-5.14.2-8.mga2
perl-devel-5.14.2-8.mga2
perl-doc-5.14.2-8.mga2

from perl-5.14.2-8.mga2.src.rpm
Comment 5 claire robinson 2012-12-03 20:17:57 CET 
PoC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689314

Before
------

$ perl -le 'print "v"x(2**31+1) ."=1"'
Segmentation fault

After
-----

$ perl -le 'print "v"x(2**31+1) ."=1"'
panic: memory wrap at -e line 1.

Whiteboard: (none) => has_procedure mga2-64-OK

Comment 6 Dave Hodgins 2012-12-03 23:00:15 CET 
Testing complete on Mageia 2 i586 and x86-64.

Unlike Comment 5, I'm getting "Out of memory", with perl-5.14.2-7.mga2,
rather then a segfault.  Same with perl-5.14.2-8.mga2.

For testing, I'm just checking that perl programs such as mgaapplet, rpmdrake,
and diskdrake are working.

Could someone from the sysadmin team push the srpm
perl-5.14.2-8.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated perl packages fix security vulnerability:

It was discovered that Perl's 'x' string repeat operator is vulnerable to a
heap-based buffer overflow. An attacker could use this to execute arbitrary
code (CVE-2012-5195).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5195
http://www.ubuntu.com/usn/usn-1643-1/

https://bugs.mageia.org/show_bug.cgi?id=8253

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK MGA2-32-OK

Comment 7 David Walser 2012-12-03 23:50:01 CET 
On Mageia 1, I get "Out of memory!" with the current version, and after rebuilding it with the patch.  Strange.

Anyway, I've checked the patch into Mageia 1 SVN if anyone ever wants it.
Comment 8 Thomas Backlund 2012-12-07 13:10:14 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0352

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED