Bug 11146 - perl-Module-Metadata new security issue CVE-2013-1437
: perl-Module-Metadata new security issue CVE-2013-1437
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565572/
: has_procedure advisory mga3-32-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-04 02:22 CEST by David Walser
Modified: 2014-02-25 23:18 CET (History)
4 users (show)

See Also:
Source RPM: perl-Module-Metadata-1.0.11-4.1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-09-04 02:22:41 CEST
Fedora has issued an advisory on August 22:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114912.html

I believe the issue is fixed upstream in 1.0.15.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Sander Lepik 2013-09-24 14:06:05 CEST
I have uploaded patched packages for Mageia 2 and 3.

1. Install perl-Module-Metadata
2. Run this command: man Module::Metadata
3. Check the DESCRIPTION (Should be this: "This module provides a standard way to gather metadata about a .pm file without executing unsafe code.")
4. Update perl-Module-Metadata from updates_testing
5. Repeat step #2 and check DESCRIPTION again. (This time it should say something like this: "This module provides a standard way to gather metadata about a .pm file through (mostly) static analysis and (some) code execution.  When determining the version of a module, the $VERSION assignment is "eval"ed, as is traditional in the CPAN toolchain.")

Suggested advisory:
========================

This update clarifies the module's documentation about the code it executes, i.e. it does "eval" a module to determine its version number. Previously it said that it did not execute unsafe code.

References:
http://lwn.net/Vulnerabilities/565572/
========================

Updated packages in core/updates_testing:
========================
perl-Module-Metadata-1.0.9-1.1.mga2
perl-Module-Metadata-1.0.11-4.1.mga3

Source RPMs:
perl-Module-Metadata-1.0.9-1.1.mga2.src.rpm
perl-Module-Metadata-1.0.11-4.1.mga3.src.rpm
Comment 2 David Walser 2013-09-24 14:20:59 CEST
Thanks Sander!

Just making minor formatting changes to the advisory.

Suggested advisory:
========================

This update clarifies the module's documentation about the code it executes,
i.e. it does "eval" a module to determine its version number. Previously it
said that it did not execute unsafe code (CVE-2013-1437).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1437
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114912.html
========================

Updated packages in core/updates_testing:
========================
perl-Module-Metadata-1.0.9-1.1.mga2
perl-Module-Metadata-1.0.11-4.1.mga3

Source RPMs:
perl-Module-Metadata-1.0.9-1.1.mga2.src.rpm
perl-Module-Metadata-1.0.11-4.1.mga3.src.rpm
Comment 3 claire robinson 2013-09-24 16:00:30 CEST
Testing mga3 64

Module::Metadata appears to be provided by perl package aswell as 
perl-Module-Metadata.

Testing with this script..

 use Module::Metadata;

  my $file = '/usr/lib/perl5/vendor_perl/5.16.2/Config/IniFiles.pm';

  # information about a .pm file
  my $info = Module::Metadata->new_from_file( $file );
  my $version = $info->version;

  # CPAN META 'provides' field for .pm files in a directory
  my $provides = Module::Metadata->provides(
    dir => 'lib', version => 2
  );

  print "$version\n";
  print "$provides\n";

Just spits out a version number and a hash, don't laugh at my perl skillz. It does so though even without perl-Module-Metadata being installed.

$ urpmq --whatprovides 'perl(Module::Metadata)'
perl-Module-Metadata|perl-Module-Metadata|perl

# urpmq --provides perl | grep Metadata
perl(Module::Metadata)[== 1.0.9]

It also appears to be providing the mga2 version in mga3. It looks like this will need to be updated too in order to close the CVE.

# urpme perl-Module-Metadata
removing perl-Module-Metadata-1.0.11-4.mga3.noarch
removing package perl-Module-Metadata-1.0.11-4.mga3.noarch
      1/1: removing perl-Module-Metadata-1.0.11-4.mga3.noarch
                                 
# man Module::Metadata

DESCRIPTION
       This module provides a standard way to gather metadata about a .pm file without executing unsafe code.
Comment 4 claire robinson 2013-10-03 15:46:18 CEST
Assigning back to you David, not sure how best to handle this one. It is just updated man pages so might not be worthy of a perl update, but it does seem to need one to close the CVE.
Comment 5 David Walser 2013-10-03 15:56:08 CEST
Wrong assignee.
Comment 6 David Walser 2013-11-22 16:12:13 CET
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Comment 7 Jerome Quelin 2014-02-24 09:50:37 CET
Sorry for the time to answer - real life kicked in quite hard.

I strongly oppose to doing a perl update to mageia 3 just to change a bit of documentation in a module.

Rationale:
1- perl is a critical package, and I prefer limiting its update in mageia releases to the strict minimum
2- even more because qa is overwhelmed, and I'd rather not pile an uneeded update onto them
3- Module::Metadata is a very obscure package, that is not really used a lot (evn *I* didn't know about it before this bug report)
4- if you decide to use this module, most of the time you'll do on a safe module (that is, even eval-ing it won't cause any damage). Only modules crafted to abuse the eval-ing will be a problem, and those modules aren't legion (because of 3 above)
5- if you really care about security of a given module, you won't trust its documentation, but check the code before using it
6- finally, assigning a CVE to reword documentation is overkill to me

Therefore, I propose to clsoe this bug as resolved/wontfix unless you provide me with very good reasons.

Note: cauldron and mageia 4 have an updated Module::Metadata (even the one shipped with core perl).
Comment 8 David Walser 2014-02-24 13:40:33 CET
Given Jerome's feedback, we can just update the external module (as it's already packaged) and say it's wontfix for perl itself.  Advisory in Comment 2 (minus the Mageia 2 package of course).
Comment 9 claire robinson 2014-02-24 17:03:14 CET
Testing complete mga3 32 & 64
Comment 10 claire robinson 2014-02-24 17:11:37 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks
Comment 11 Thomas Backlund 2014-02-25 23:18:36 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0093.html

Note You need to log in before you can comment on or make changes to this bug.