An advisory was issued today (September 25): https://www.lsexperts.de/advisories/lse-2014-06-10.txt Apparently there's a patch available upstream. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Blocks: (none) => 14098
Jerome just pointed out that this is the same CVE as in Bug 14198, so for this bug it's for the Data::Dumper bundled with perl itself.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=14198
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. The test procedures we need to use for this update are: https://bugs.mageia.org/show_bug.cgi?id=14098#c0 (Mageia 4) https://bugs.mageia.org/show_bug.cgi?id=14198#c4 (Mageia 3 and Mageia 4) Note that for the second one, you need to make sure that you do *not* have the perl-Data-Dumper package installed, so that it will use the one bundled in the perl package. Advisory (Mageia 3): ======================== Updated perl package fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function (CVE-2014-4330). The Data::Dumper module bundled with Perl has been updated to fix these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330 https://www.lsexperts.de/advisories/lse-2014-06-10.txt https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139441.html ======================== Updated packages in core/updates_testing: ======================== perl-5.16.3-1.2.mga3 perl-base-5.16.3-1.2.mga3 perl-devel-5.16.3-1.2.mga3 perl-doc-5.16.3-1.2.mga3 from perl-5.16.3-1.2.mga3.src.rpm Advisory (Mageia 4): ======================== Updated perl package fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function (CVE-2014-4330). Also, the Text::Wrap version provided in perl contains a bug that can lead to a code path that shouldn't be hit. This can lead to crashes in other software, such as Bugzilla. The Text::Wrap module bundled with Perl has been patched and the Data::Dumper module bundled with Perl has been updated to fix these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330 https://www.lsexperts.de/advisories/lse-2014-06-10.txt https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139441.html https://bugs.mageia.org/show_bug.cgi?id=14098 https://bugs.mageia.org/show_bug.cgi?id=14170 ======================== Updated packages in core/updates_testing: ======================== perl-5.18.1-3.2.mga4 perl-base-5.18.1-3.2.mga4 perl-devel-5.18.1-3.2.mga4 perl-doc-5.18.1-3.2.mga4 from perl-5.18.1-3.2.mga4.src.rpm
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO has_procedureCC: (none) => jquelinVersion: Cauldron => 4Assignee: jquelin => qa-bugs
See Also: https://bugs.mageia.org/show_bug.cgi?id=14198 => (none)Blocks: (none) => 14198
Testing on Mageia4-64 perl-Data-Dumper not installed Before : perl Version : 2:5.18.1-3.mga4 bug 14098 # perl -MText::Wrap -wE 'say wrap("", "", "http://193.35.206.163/issues/clients/index.php?issue=6239&order=issue_id&sort=desc")' This shouldn't happen at /usr/lib/perl5/5.18.1/Text/Wrap.pm line 84. bug 14198 $ cat min.pl use strict; use Data::Dumper; my $dumpme = []; for (my $i = 0; $i < $ARGV[0]; $i++) { $dumpme = [$dumpme, "AAAAAAAA"]; } print Dumper($dumpme); $ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64 (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff694f6ed in vfprintf () from /lib64/libc.so.6 After : Update packages - perl-5.18.1-3.2.mga4.x86_64 - perl-base-5.18.1-3.2.mga4.x86_64 Bug 14098 $ perl -MText::Wrap -wE 'say wrap("", "", "http://193.35.206.163/issues/clients/index.php?issue=6239&order=issue_id&sort=desc")' http://193.35.206.163/issues/clients/index.php?issue=6239&order=issue_id&so rt=desc Bug 14198 $ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.2.mga4.x86_64 (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Recursion limit of 1000 exceeded at /usr/lib/perl5/5.18.1/x86_64-linux-thread-multi/Data/Dumper.pm line 224. [Inferior 1 (process 17644) exited with code 0377] (gdb) quit It seems all right to me
CC: (none) => olchal
Testing on Mageia4-32 perl-Data-Dumper : not installed Before : perl Version : 2:5.18.1-3.mga4 bug 14098 = showed the same error This shouldn't happen at /usr/lib/perl5/5.18.1/Text/Wrap.pm line 84. bug 14198 $ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i586-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.i586 (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i686/libthread_db.so.1". Out of memory! [Inferior 1 (process 4513) exited with code 01] (gdb) bt No stack. Not the same error as in Mageia4-64 After - perl-5.18.1-3.2.mga4.i586 - perl-base-5.18.1-3.2.mga4.i586 Bug 14098 $ perl -MText::Wrap -wE 'say wrap("", "", "http://193.35.206.163/issues/clients/index.php?issue=6239&order=issue_id&sort=desc")' http://193.35.206.163/issues/clients/index.php?issue=6239&order=issue_id&so rt=desc Bug 14198 $ gdb --args perl min.pl 20000 (...) (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i686/libthread_db.so.1". Recursion limit of 1000 exceeded at /usr/lib/perl5/5.18.1/i386-linux-thread-multi/Data/Dumper.pm line 224. [Inferior 1 (process 6492) exited with code 0377] Not sure about the dumping error which appears different in Mageia4-32. However, updated packages seem to work well.
I tested Mageia 3 i586. I confirmed the bug and the fix (same results that Claire and Oliver previously saw).
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK
Testing complete mga3 64 $ rpm -q perl-Data-Dumper package perl-Data-Dumper is not installed Before $ perl min.pl 20000 Segmentation fault After $ perl min.pl 20000 Recursion limit of 1000 exceeded at /usr/lib/perl5/5.16.3/x86_64-linux-thread-multi/Data/Dumper.pm line 224.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure mga3-64-ok MGA4-64-OK MGA4-32-OK MGA3-32-OK
Validating. Separate advisories uploaded for mga3 & 4. Could sysadmin please push to 3 & 4 updates. Bug 14098 can then be closed-fixed. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-64-ok MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure advisory mga3-64-ok MGA4-64-OK MGA4-32-OK MGA3-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0405.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0406.html