A CVE was assigned for an information disclosure flaw in CGI::Application >= 4.19: http://openwall.com/lists/oss-security/2014/02/20/1 A suggested fix is linked from the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1067180 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updates now available in core/updates_testing for both mageia 3 and mageia 4. mgaeia 3: - perl-CGI-Application-4.500.0-2.1.mga3.src.rpm - perl-CGI-Application-4.500.0-2.1.mga3 mageia 4: - perl-CGI-Application-4.500.0-3.1.mga4.src.rpm - perl-CGI-Application-4.500.0-3.1.mga4 Since the module is providing a web framework, it's not really easy to test the new behaviour. However, as can be seen in the commit fixing the problem (https://github.com/markstos/CGI--Application/pull/15), a new test case has been added to the regression test-suite. I therefore propose to consider the bug fixed and to push the updates directly. Advisory: =============== This update fixes a security issue for CGI::Application. Previously when overloading seup() (which everyone does), one ALWAYS had dump_html as a default run-mode unless explicitely redefining it. This would unexpectedly dump a complete set of web query data and server environment information as an error page, thus leaking information. ===============
URL: (none) => https://rt.cpan.org/Public/Bug/Display.html?id=84403CC: (none) => jquelinAssignee: jquelin => qa-bugs
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Thanks Jerome. Just some typographical fixes here. Advisory: ======================== Updated perl-CGI-Application package fixes security vulnerability: When applications using CGI::Application overload setup(), which is normally the case, CGI::Application since version 4.19 has dump_html as a default run-mode unless the application explicitly redefines it. This unexpectedly dumps a complete set of web query data and server environment information as an error page, thus leaking information (CVE-2013-7329). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7329 http://openwall.com/lists/oss-security/2014/02/20/1 https://bugzilla.redhat.com/show_bug.cgi?id=1067180 ======================== Updated packages in core/updates_testing: ======================== perl-CGI-Application-4.500.0-2.1.mga3 perl-CGI-Application-4.500.0-3.1.mga4 from SRPMS: perl-CGI-Application-4.500.0-2.1.mga3.src.rpm perl-CGI-Application-4.500.0-3.1.mga4.src.rpm
Created attachment 5004 [details] example.cgi Some test files to check the module basically works, from http://max.duestrade.it/Perl-module-CGI-Application.html example.cgi example.pm example.tmpl Put into the same directory, it should output some html.. $ perl example.cgi Content-Type: text/html; charset=ISO-8859-1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><title>Example</title></head> <body> <!-- this is the page section shown on the first access to 'example.cgi' --> <form method="post" action="example.cgi"> <p><input type="hidden" name="newState" value="authentication"/></p> <p>user: <input type="text" name="user"/></p> <p>password: <input type="password" name="password"/></p> <p><input type="submit" name="action" value="Login"/></p> </form> </body> </html>
Created attachment 5005 [details] example.pm
Created attachment 5006 [details] example.tmpl
Testing complete mga3 32
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete Mageia 4 i586, same procedure as Claire.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok
Testing complete Mageia 4 x86_64
CC: (none) => ennael1Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64 => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0098.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
https://rt.cpan.org/Public/Bug/Display.html?id=84403
URL: https://rt.cpan.org/Public/Bug/Display.html?id=84403 => http://lwn.net/Vulnerabilities/588435/