Fedora has issued an advisory on August 19: https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137115.html The issue is fixed upstream in 1.0031, and RedHat has a link to the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1128978 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => mageiaWhiteboard: (none) => MGA4TOO, MGA3TOO
Fixed in cauldron (awaiting freeze push exemption). I've updated to latest version in mga3 & mga4, since the patch doesn't apply cleanly due to the old version (web frameworks are a rapid moving target). Submitted packages in core/updates_testing : - perl-Plack-1.3.100-1.mga3 - perl-Plack-1.3.100-1.mga4 ==> this fails, since they require more recent versions of other perl modules (Apache::LogFormat::Compiler, File::ShareDir::Install)... What do you recommend? Update those deps also, struggle to try to apply the patch (but I won't have the time to do it quickly), other?
CC: (none) => jquelinAssignee: jquelin => qa-bugs
If you're asking QA whether we'd prefer you to create more work for us or for yourself, then the answer is likely going to be the latter ;) Actually it is policy though to patch where practical Jerome, this being one of the reasons behind the policy. https://wiki.mageia.org/en/Updates_policy I'm adding the feedback marker for now until there is something here for us to test.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO feedback
Jerome, if updating the perl modules wouldn't hurt anything (as is usually the case), that would be fine. Ultimately, whichever solution is easier for you is best.
CC: (none) => qa-bugsAssignee: qa-bugs => jquelinWhiteboard: MGA3TOO feedback => MGA3TOO
I have uploaded a patched packages for Mageia 3 and 4. I'm not sure how to test it as there is no know POC. What I did is that I first patched in the added test and checked that the build failed. I then patched also the fix and now the build was successful. Suggested advisory: ======================== Updated perl-Plack package fixes the following security issue: - Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (avar) #446 Upstream fix: https://github.com/avar/Plack/commit/bc1731dbb53850c380875ad683cd87c8ec99eee3 References: https://github.com/plack/Plack/issues/405 http://seclists.org/oss-sec/2014/q3/345 ======================== Updated packages in core/updates_testing: ======================== perl-Plack-1.1.400-2.1.mga3.noarch perl-Plack-1.2.900-2.1.mga4.noarch Source RPMs: perl-Plack-1.1.400-2.1.mga3.src.rpm perl-Plack-1.2.900-2.1.mga4.src.rpm
Hardware: i586 => AllAssignee: jquelin => qa-bugs
Thanks for the details Sander! Given what you said about the testcase, the QA team shouldn't have to do more than test installing it. I would write the advisory as follows. Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (CVE-2014-5269). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5269 https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137115.html
Testing on Mageia4-64 real HW With current package : -------------------- perl-Plack-1.2.900-2.mga4.noarch Tested with simple perl plack script found on the web : #!/usr/bin/perl use strict; use warnings; my $app = sub { return [ '200', [ 'Content-Type' => 'text/html' ], [ scalar localtime ], ]; }; Saved as testplack.psgi In terminal, $ plackup testplack.psgi in browser, went to : http://localhost:5000/ Page displayed current time which I could update by reloading the page. Ctrl-C in terminal to stop. Update to testing package : ------------------------- perl-Plack-1.2.900-2.1.mga4.noarch Installation OK, could run same script. All OK
CC: (none) => olchalWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Well done Olivier Testing complete mga3 32 using this procedure.
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK
Tested on Mageia3-64 real hardware Current package : - perl-Plack-1.1.400-2.mga3.noarch Update testing package : - perl-Plack-1.1.400-2.1.mga3.noarch All OK
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0486.html
Status: NEW => RESOLVEDResolution: (none) => FIXED