Mageia Bugzilla – Bug 11146
perl-Module-Metadata new security issue CVE-2013-1437
Last modified: 2014-02-25 23:18:36 CET
Fedora has issued an advisory on August 22:
I believe the issue is fixed upstream in 1.0.15.
Mageia 2 and Mageia 3 are also affected.
Steps to Reproduce:
I have uploaded patched packages for Mageia 2 and 3.
1. Install perl-Module-Metadata
2. Run this command: man Module::Metadata
3. Check the DESCRIPTION (Should be this: "This module provides a standard way to gather metadata about a .pm file without executing unsafe code.")
4. Update perl-Module-Metadata from updates_testing
5. Repeat step #2 and check DESCRIPTION again. (This time it should say something like this: "This module provides a standard way to gather metadata about a .pm file through (mostly) static analysis and (some) code execution. When determining the version of a module, the $VERSION assignment is "eval"ed, as is traditional in the CPAN toolchain.")
This update clarifies the module's documentation about the code it executes, i.e. it does "eval" a module to determine its version number. Previously it said that it did not execute unsafe code.
Updated packages in core/updates_testing:
Just making minor formatting changes to the advisory.
This update clarifies the module's documentation about the code it executes,
i.e. it does "eval" a module to determine its version number. Previously it
said that it did not execute unsafe code (CVE-2013-1437).
Updated packages in core/updates_testing:
Testing mga3 64
Module::Metadata appears to be provided by perl package aswell as
Testing with this script..
my $file = '/usr/lib/perl5/vendor_perl/5.16.2/Config/IniFiles.pm';
# information about a .pm file
my $info = Module::Metadata->new_from_file( $file );
my $version = $info->version;
# CPAN META 'provides' field for .pm files in a directory
my $provides = Module::Metadata->provides(
dir => 'lib', version => 2
Just spits out a version number and a hash, don't laugh at my perl skillz. It does so though even without perl-Module-Metadata being installed.
$ urpmq --whatprovides 'perl(Module::Metadata)'
# urpmq --provides perl | grep Metadata
It also appears to be providing the mga2 version in mga3. It looks like this will need to be updated too in order to close the CVE.
# urpme perl-Module-Metadata
removing package perl-Module-Metadata-1.0.11-4.mga3.noarch
1/1: removing perl-Module-Metadata-1.0.11-4.mga3.noarch
# man Module::Metadata
This module provides a standard way to gather metadata about a .pm file without executing unsafe code.
Assigning back to you David, not sure how best to handle this one. It is just updated man pages so might not be worthy of a perl update, but it does seem to need one to close the CVE.
Removing Mageia 2 from the whiteboard due to EOL.
Sorry for the time to answer - real life kicked in quite hard.
I strongly oppose to doing a perl update to mageia 3 just to change a bit of documentation in a module.
1- perl is a critical package, and I prefer limiting its update in mageia releases to the strict minimum
2- even more because qa is overwhelmed, and I'd rather not pile an uneeded update onto them
3- Module::Metadata is a very obscure package, that is not really used a lot (evn *I* didn't know about it before this bug report)
4- if you decide to use this module, most of the time you'll do on a safe module (that is, even eval-ing it won't cause any damage). Only modules crafted to abuse the eval-ing will be a problem, and those modules aren't legion (because of 3 above)
5- if you really care about security of a given module, you won't trust its documentation, but check the code before using it
6- finally, assigning a CVE to reword documentation is overkill to me
Therefore, I propose to clsoe this bug as resolved/wontfix unless you provide me with very good reasons.
Note: cauldron and mageia 4 have an updated Module::Metadata (even the one shipped with core perl).
Given Jerome's feedback, we can just update the external module (as it's already packaged) and say it's wontfix for perl itself. Advisory in Comment 2 (minus the Mageia 2 package of course).
Testing complete mga3 32 & 64
Advisory uploaded. Validating.
Could sysadmin please push to 3 updates