Fixed in cauldron (awaiting freeze push exemption). Submitted packages in core/updates_testing (I've updated to latest version):
- perl-Data-Dumper-2.154.0-1.mga3
- perl-Data-Dumper-2.154.0-1.mga4

Advisory:
=========================
The Dumper method in Data::Dumper allows context-dependent attackers to cause a denial of service. The new package fixes the problem.
=========================

please test & validate.

CC: (none) => jquelin
Assignee: jquelin => qa-bugs

Thanks Jerome!

One question though, the CVE says "as used in Perl 5.20.1 and earlier," is there another copy of this module in the perl package itself?

Advisory:
========================

Updated perl-Data-Dumper package fixes security vulnerability:

The Dumper method in Data::Dumper before 2.154, allows context-dependent
attackers to cause a denial of service (stack consumption and crash) via an
Array-Reference with many nested Array-References, which triggers a large
number of recursive calls to the DD_dump function (CVE-2014-4330).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139441.html

PoC: https://rt.perl.org/Public/Bug/Display.html?id=122111

It does seem to be in perl-base, no segfault there though 32 or 64bit. How would I force it to use perl-Data-Dumper rather than perl-base?

$ rpm -q perl-Data-Dumper
package perl-Data-Dumper is not installed

$ cat min.pl
use strict;
use Data::Dumper;
my $dumpme = [];
for (my $i = 0; $i < $ARGV[0]; $i++) {
        $dumpme = [$dumpme, "AAAAAAAA"];
}
print Dumper($dumpme);


$ gdb --args perl min.pl
GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64
(gdb) run
Starting program: /usr/bin/perl5.18.1 min.pl
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
$VAR1 = [];
[Inferior 1 (process 6673) exited normally]
(gdb) quit

Sorry, missed the argument from min.pl 

$ gdb --args perl min.pl 20000
...
(gdb) run
Starting program: /usr/bin/perl5.18.1 min.pl 20000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff694f6ed in vfprintf () from /lib64/libc.so.6

Adding feedback marker as this appears to need a perl update.

Whiteboard: MGA3TOO => MGA3TOO feedback

Module from perl base is reported as bug#14170. So please validate this bug about perl-Data-Dumper. :-)

Note however that my internet box broke after an electrical failure, so I am not able to work on bugs right now. :-(

How can we force perl to use the separate module Jerome please, rather than the one in perl-base which it seems to default to?

If you install the package perl-Data-Dumper, then perl should use it by default.
See perl -V for the @INC list (@INC being the path where perl will try to locate used modules).

If you want to really force an INC path to be tried first, try this:
$ perl -I/path/to/some/dir /path/to/script args

Ok thanks, the -I option is maybe needed. gdb asked for perl-base debuginfo - comment 4 - which makes me think it's using the one in perl-base by default.

Whiteboard: MGA3TOO feedback => MGA3TOO

Well, of course, comment#4 begins by stating that perl-Data-Dumper isn't installed. So of course, it won't be used! :-)

Bad example, ok. I'll be more specific..

# rpm -q perl-Data-Dumper
perl-Data-Dumper-2.145.0-2.mga4

$ gdb --args perl min.pl
GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64

Testing complete mga4 64

Comfirmed with the backtrace that it is in fact using the perl-Data-Dumper rather than perl-base, despite asking for perl-base debuginfo.

$ urpmf perl-Data-Dumper | grep Dumper.so
perl-Data-Dumper:/usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/auto/Data/Dumper/Dumper.so

Before
------
$ perl min.pl 20000
Segmentation fault

$ gdb --args perl min.pl 20000
GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64
(gdb) run
Starting program: /usr/bin/perl5.18.1 min.pl 20000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff694f6f7 in vfprintf () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff694f6f7 in vfprintf () from /lib64/libc.so.6
#1  0x00007ffff6a08a48 in __vsprintf_chk () from /lib64/libc.so.6
#2  0x00007ffff6a0899d in __sprintf_chk () from /lib64/libc.so.6
#3  0x00007ffff63ee137 in ?? () from /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/auto/Data/Dumper/Dumper.so
...etc


After
-----
$ perl min.pl 20000
Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/Data/Dumper.pm line 224.

$ gdb --args perl min.pl 20000
GNU gdb (GDB) 7.6-6.mga4 (Mageia release 4)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl5.18.1...Reading symbols from /usr/bin/perl5.18.1...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install perl-base-5.18.1-3.mga4.x86_64
(gdb) run
Starting program: /usr/bin/perl5.18.1 min.pl 20000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/Data/Dumper.pm line 224.
[Inferior 1 (process 28422) exited with code 0377]

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Testing complete mga4 32

This machine ran out of memory before triggering the segfault but shows the recursion error with the updated package.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

It hadn't occurred to me previously that the other bug I filed was for this same CVE.  Considering the PoC runs the same way whether you have the external package installed or not, I really think we should fix this in perl at the same time.

That being said, I can confirm the fix on Mageia 3 i586.

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok

Advisory uploaded. Needs a quick test on mga3 64 to validate.

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok

@comment 15: unfortunately, I cannot work / submit anything till my internet box is fixed. And I dont know when it will be. :-(

Testing on Mageia3-64

Reproduced the steps as in Comment 13.

Before :

- perl-Data-Dumper-2.139.0-3.mga3.x86_64

$ perl min.pl 20000
Erreur de segmentation
[zitounu@localhost Documents]$  gdb --args perl min.pl 20000
GNU gdb (GDB) 7.5.1-7.mga3 (Mageia release 3)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl...Reading symbols from /usr/bin/perl...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install perl-base-5.16.3-1.mga3.x86_64
(gdb) run
Starting program: /usr/bin/perl min.pl 20000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff695e595 in vfprintf () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff695e595 in vfprintf () from /lib64/libc.so.6
#1  0x00007ffff6a1d6a7 in __vsprintf_chk () from /lib64/libc.so.6
#2  0x00007ffff6a1d5ed in __sprintf_chk () from /lib64/libc.so.6
#3  0x00007ffff63f319b in DD_dump ()
   from /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Data/Dumper/Dumper.so
etc.

After :

- perl-Data-Dumper-2.154.0-1.mga3.x86_64

$ perl min.pl 20000
Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/Data/Dumper.pm line 224.

$ gdb --args perl min.pl 20000
GNU gdb (GDB) 7.5.1-7.mga3 (Mageia release 3)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl...Reading symbols from /usr/bin/perl...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install perl-base-5.16.3-1.mga3.x86_64
(gdb) run
Starting program: /usr/bin/perl min.pl 20000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Recursion limit of 1000 exceeded at /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/Data/Dumper.pm line 224.
[Inferior 1 (process 6577) exited with code 0377]
(gdb) quit

Similar to what Claire found on Mageia4-64

I leave well-informed people to see if it's a pass.

CC: (none) => olchal

Indeed it is a pass, thanks Olivier.

Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok

(In reply to Jerome Quelin from comment #17)
> @comment 15: unfortunately, I cannot work / submit anything till my internet
> box is fixed. And I dont know when it will be. :-(

Jerome, do these commits look OK to you?

http://svnweb.mageia.org/packages/?view=revision&revision=737198
http://svnweb.mageia.org/packages/?view=revision&revision=737199
http://svnweb.mageia.org/packages/?view=revision&revision=737200

Well done Olivier. It passed because it showed the Recursion limit' error instead of crashing or consuming all the memory.

perl-Data-Dumper is ready to validate but I'll add the feedback marker for now until it's decided what to do with perl/perl-base.

Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO feedback has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok

@david (comment 20): yes if patch applies cleanly.
Note however that it's bug#14170 that is concerned.

(In reply to Jerome Quelin from comment #22)
> @david (comment 20): yes if patch applies cleanly.
> Note however that it's bug#14170 that is concerned.

I generated the patches from the respective sources, so it'll apply.  Beginning the pushes now, hopefully it builds (it should).

In situations like this in the past, we've asked that the bundled module be fixed at the same time, and I believe that makes sense.

Claire, I'm validating this, but making it depend on the bug for perl itself.  Colin's script won't actually push the update until that one is validated due to the bug depends.

Sysadmins, this is ready to be pushed to updates for Mageia 3 and Mageia 4 once Bug 14170 is also validated.  The advisory is in SVN.

Keywords: (none) => validated_update
See Also: https://bugs.mageia.org/show_bug.cgi?id=14170 => (none)
Depends on: (none) => 14170
Whiteboard: MGA3TOO feedback has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0407.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED