Bug 12827 - perl-CGI-Application new security issue CVE-2013-7329
: perl-CGI-Application new security issue CVE-2013-7329
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/588435/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-20 16:09 CET by David Walser
Modified: 2014-02-26 18:12 CET (History)
4 users (show)

See Also:
Source RPM: perl-CGI-Application-4.500.0-2.mga3.src.rpm
CVE:


Attachments
example.cgi (60 bytes, text/plain)
2014-02-24 18:08 CET, claire robinson
Details
example.pm (1.58 KB, application/x-perl)
2014-02-24 18:08 CET, claire robinson
Details
example.tmpl (1.58 KB, application/octet-stream)
2014-02-24 18:09 CET, claire robinson
Details

Description David Walser 2014-02-20 16:09:39 CET
A CVE was assigned for an information disclosure flaw in CGI::Application >= 4.19:
http://openwall.com/lists/oss-security/2014/02/20/1

A suggested fix is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1067180

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Jerome Quelin 2014-02-24 10:42:47 CET
Updates now available in core/updates_testing for both mageia 3 and mageia 4.

mgaeia 3:
- perl-CGI-Application-4.500.0-2.1.mga3.src.rpm
- perl-CGI-Application-4.500.0-2.1.mga3

mageia 4:
- perl-CGI-Application-4.500.0-3.1.mga4.src.rpm
- perl-CGI-Application-4.500.0-3.1.mga4

Since the module is providing a web framework, it's not really easy to test the new behaviour. However, as can be seen in the commit fixing the problem (https://github.com/markstos/CGI--Application/pull/15), a new test case has been added to the regression test-suite.

I therefore propose to consider the bug fixed and to push the updates directly.

Advisory:
===============
This update fixes a security issue for CGI::Application.

Previously when overloading seup() (which everyone does), one ALWAYS had dump_html as a default run-mode unless explicitely redefining it. This would unexpectedly dump a complete set of web query data and server environment information as an error page, thus leaking information.
===============
Comment 2 David Walser 2014-02-24 13:50:40 CET
Thanks Jerome.

Just some typographical fixes here.

Advisory:
========================

Updated perl-CGI-Application package fixes security vulnerability:

When applications using CGI::Application overload setup(), which is normally
the case, CGI::Application since version 4.19 has dump_html as a default
run-mode unless the application explicitly redefines it. This unexpectedly
dumps a complete set of web query data and server environment information as
an error page, thus leaking information (CVE-2013-7329).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7329
http://openwall.com/lists/oss-security/2014/02/20/1
https://bugzilla.redhat.com/show_bug.cgi?id=1067180
========================

Updated packages in core/updates_testing:
========================
perl-CGI-Application-4.500.0-2.1.mga3
perl-CGI-Application-4.500.0-3.1.mga4

from SRPMS:
perl-CGI-Application-4.500.0-2.1.mga3.src.rpm
perl-CGI-Application-4.500.0-3.1.mga4.src.rpm
Comment 3 claire robinson 2014-02-24 18:08:37 CET
Created attachment 5004 [details]
example.cgi

Some test files to check the module basically works, from
http://max.duestrade.it/Perl-module-CGI-Application.html

example.cgi
example.pm
example.tmpl

Put into the same directory, it should output some html..

$ perl example.cgi
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><title>Example</title></head>
<body>


<!-- this is the page section shown on the first access to 'example.cgi' -->
<form method="post" action="example.cgi">
    <p><input type="hidden" name="newState" value="authentication"/></p>
    <p>user: <input type="text" name="user"/></p>
    <p>password: <input type="password" name="password"/></p>
    <p><input type="submit" name="action" value="Login"/></p>
</form>









</body>
</html>
Comment 4 claire robinson 2014-02-24 18:08:59 CET
Created attachment 5005 [details]
example.pm
Comment 5 claire robinson 2014-02-24 18:09:22 CET
Created attachment 5006 [details]
example.tmpl
Comment 6 claire robinson 2014-02-24 18:09:51 CET
Testing complete mga3 32
Comment 7 claire robinson 2014-02-24 18:52:29 CET
Testing complete mga3 64
Comment 8 David Walser 2014-02-24 19:20:24 CET
Testing complete Mageia 4 i586, same procedure as Claire.
Comment 9 Anne Nicolas 2014-02-24 23:39:21 CET
Testing complete Mageia 4 x86_64
Comment 10 claire robinson 2014-02-24 23:47:33 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 11 Thomas Backlund 2014-02-25 23:22:02 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0098.html

Note You need to log in before you can comment on or make changes to this bug.