Fedora has issued an advisory on September 25: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139441.html It was apparently fixed upstream in 2.153. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Fixed in cauldron (awaiting freeze push exemption). Submitted packages in core/updates_testing (I've updated to latest version): - perl-Data-Dumper-2.154.0-1.mga3 - perl-Data-Dumper-2.154.0-1.mga4 Advisory: ========================= The Dumper method in Data::Dumper allows context-dependent attackers to cause a denial of service. The new package fixes the problem. ========================= please test & validate.
CC: (none) => jquelinAssignee: jquelin => qa-bugs
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Thanks Jerome! One question though, the CVE says "as used in Perl 5.20.1 and earlier," is there another copy of this module in the perl package itself? Advisory: ======================== Updated perl-Data-Dumper package fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function (CVE-2014-4330). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330 https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139441.html
PoC: https://rt.perl.org/Public/Bug/Display.html?id=122111
It does seem to be in perl-base, no segfault there though 32 or 64bit. How would I force it to use perl-Data-Dumper rather than perl-base? $ rpm -q perl-Data-Dumper package perl-Data-Dumper is not installed $ cat min.pl use strict; use Data::Dumper; my $dumpme = []; for (my $i = 0; $i < $ARGV[0]; $i++) { $dumpme = [$dumpme, "AAAAAAAA"]; } print Dumper($dumpme); $ gdb --args perl min.pl GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64 (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". $VAR1 = []; [Inferior 1 (process 6673) exited normally] (gdb) quit
Sorry, missed the argument from min.pl $ gdb --args perl min.pl 20000 ... (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff694f6ed in vfprintf () from /lib64/libc.so.6
Adding feedback marker as this appears to need a perl update.
Whiteboard: MGA3TOO => MGA3TOO feedback
Module from perl base is reported as bug#14170. So please validate this bug about perl-Data-Dumper. :-) Note however that my internet box broke after an electrical failure, so I am not able to work on bugs right now. :-(
How can we force perl to use the separate module Jerome please, rather than the one in perl-base which it seems to default to?
If you install the package perl-Data-Dumper, then perl should use it by default. See perl -V for the @INC list (@INC being the path where perl will try to locate used modules). If you want to really force an INC path to be tried first, try this: $ perl -I/path/to/some/dir /path/to/script args
Ok thanks, the -I option is maybe needed. gdb asked for perl-base debuginfo - comment 4 - which makes me think it's using the one in perl-base by default.
Whiteboard: MGA3TOO feedback => MGA3TOO
Well, of course, comment#4 begins by stating that perl-Data-Dumper isn't installed. So of course, it won't be used! :-)
Bad example, ok. I'll be more specific.. # rpm -q perl-Data-Dumper perl-Data-Dumper-2.145.0-2.mga4 $ gdb --args perl min.pl GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64
Testing complete mga4 64 Comfirmed with the backtrace that it is in fact using the perl-Data-Dumper rather than perl-base, despite asking for perl-base debuginfo. $ urpmf perl-Data-Dumper | grep Dumper.so perl-Data-Dumper:/usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/auto/Data/Dumper/Dumper.so Before ------ $ perl min.pl 20000 Segmentation fault $ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64 (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff694f6f7 in vfprintf () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff694f6f7 in vfprintf () from /lib64/libc.so.6 #1 0x00007ffff6a08a48 in __vsprintf_chk () from /lib64/libc.so.6 #2 0x00007ffff6a0899d in __sprintf_chk () from /lib64/libc.so.6 #3 0x00007ffff63ee137 in ?? () from /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/auto/Data/Dumper/Dumper.so ...etc After ----- $ perl min.pl 20000 Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/Data/Dumper.pm line 224. $ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64 (gdb) run Starting program: /usr/bin/perl5.18.1 min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/Data/Dumper.pm line 224. [Inferior 1 (process 28422) exited with code 0377]
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32 This machine ran out of memory before triggering the segfault but shows the recursion error with the updated package.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=14170
It hadn't occurred to me previously that the other bug I filed was for this same CVE. Considering the PoC runs the same way whether you have the external package installed or not, I really think we should fix this in perl at the same time. That being said, I can confirm the fix on Mageia 3 i586.
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok
Advisory uploaded. Needs a quick test on mga3 64 to validate.
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok
@comment 15: unfortunately, I cannot work / submit anything till my internet box is fixed. And I dont know when it will be. :-(
Testing on Mageia3-64 Reproduced the steps as in Comment 13. Before : - perl-Data-Dumper-2.139.0-3.mga3.x86_64 $ perl min.pl 20000 Erreur de segmentation [zitounu@localhost Documents]$ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.5.1-7.mga3 (Mageia release 3) Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl...Reading symbols from /usr/bin/perl...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.16.3-1.mga3.x86_64 (gdb) run Starting program: /usr/bin/perl min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff695e595 in vfprintf () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff695e595 in vfprintf () from /lib64/libc.so.6 #1 0x00007ffff6a1d6a7 in __vsprintf_chk () from /lib64/libc.so.6 #2 0x00007ffff6a1d5ed in __sprintf_chk () from /lib64/libc.so.6 #3 0x00007ffff63f319b in DD_dump () from /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Data/Dumper/Dumper.so etc. After : - perl-Data-Dumper-2.154.0-1.mga3.x86_64 $ perl min.pl 20000 Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/Data/Dumper.pm line 224. $ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.5.1-7.mga3 (Mageia release 3) Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-mageia-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl...Reading symbols from /usr/bin/perl...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install perl-base-5.16.3-1.mga3.x86_64 (gdb) run Starting program: /usr/bin/perl min.pl 20000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/Data/Dumper.pm line 224. [Inferior 1 (process 6577) exited with code 0377] (gdb) quit Similar to what Claire found on Mageia4-64 I leave well-informed people to see if it's a pass.
CC: (none) => olchal
Indeed it is a pass, thanks Olivier.
Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
(In reply to Jerome Quelin from comment #17) > @comment 15: unfortunately, I cannot work / submit anything till my internet > box is fixed. And I dont know when it will be. :-( Jerome, do these commits look OK to you? http://svnweb.mageia.org/packages/?view=revision&revision=737198 http://svnweb.mageia.org/packages/?view=revision&revision=737199 http://svnweb.mageia.org/packages/?view=revision&revision=737200
Well done Olivier. It passed because it showed the Recursion limit' error instead of crashing or consuming all the memory. perl-Data-Dumper is ready to validate but I'll add the feedback marker for now until it's decided what to do with perl/perl-base.
Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO feedback has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
@david (comment 20): yes if patch applies cleanly. Note however that it's bug#14170 that is concerned.
(In reply to Jerome Quelin from comment #22) > @david (comment 20): yes if patch applies cleanly. > Note however that it's bug#14170 that is concerned. I generated the patches from the respective sources, so it'll apply. Beginning the pushes now, hopefully it builds (it should). In situations like this in the past, we've asked that the bundled module be fixed at the same time, and I believe that makes sense. Claire, I'm validating this, but making it depend on the bug for perl itself. Colin's script won't actually push the update until that one is validated due to the bug depends. Sysadmins, this is ready to be pushed to updates for Mageia 3 and Mageia 4 once Bug 14170 is also validated. The advisory is in SVN.
Keywords: (none) => validated_updateSee Also: https://bugs.mageia.org/show_bug.cgi?id=14170 => (none)Depends on: (none) => 14170Whiteboard: MGA3TOO feedback has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0407.html
Status: NEW => RESOLVEDResolution: (none) => FIXED