Debian has issued an advisory today (July 25): https://lists.debian.org/debian-security-announce/2016/msg00206.html The DSA will be posted here: https://www.debian.org/security/2016/dsa-3628 The Debian bug referenced there is only about CVE-2016-6185 which we have fixed in Bug 18894. CVE-2016-1238 appears to be a larger, related issue. We'll need some Perl experts to dig into this one.
Whiteboard: (none) => MGA5TOO
According to these advisories, perl-Sys-Syslog and perl-Module-Load-Conditional are also affected: http://lwn.net/Alerts/696391/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DOFRQWJRP2NQJEYEWOMECVW3HAMD5SYN/
Looking at the Debian advisory, several other packages are also affected: debhelper perl-libintl-perl perl-MIME-Charset perl-MIME-EncWords perl-Module-Build perl-Module-Load-Conditional perl-Net-DNS perl-Sys-Syslog perl-Unicode-LineBreak
CC: (none) => shlomif
CC: (none) => mageia
done: perl-Module-Load-Conditional ( SRPMS: perl-Module-Load-Conditional-0.680.0-1.mga5 )
CVE: (none) => CVE-2016-1238
perl-Sys-Syslog is now fixed in cauldron
should be mostly OK on cauldron.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
What about the other modules in Comment 2?
i don't see them in debian advisory ( https://security-tracker.debian.org/tracker/CVE-2016-1238 )
(In reply to Nicolas Lécureuil from comment #7) > i don't see them in debian advisory ( > https://security-tracker.debian.org/tracker/CVE-2016-1238 ) They are listed in the Debian advisory: https://www.debian.org/security/2016/dsa-3628 Keep in mind that Debian has weird names for their perl packages. I translated them in Comment 2.
Whiteboard: (none) => MGA5TOOVersion: 5 => Cauldron
perl-libintl-perl is OK
perl-MIME-Charset is OK
perl-MIME-EncWords is OK
perl-Module-Build is OK
perl-Net-DNS is OK
perl-Sys-Syslog is OK
perl-Unicode-LineBreak is ok on cauldron, so should really be ok on mga6 now
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
- ------------------------------------------------------------------------- Debian Security Advisory DSA-3873-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 05, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : perl CVE ID : CVE-2017-6512 Debian Bug : 863870 The cPanel Security Team reported a time of check to time of use (TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take advantage of this flaw to set the mode on an attacker-chosen file to a attacker-chosen value. For the stable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u7. For the upcoming stable distribution (stretch), this problem has been fixed in version 5.24.1-3. For the unstable distribution (sid), this problem has been fixed in version 5.24.1-3.
CC: (none) => zombie_ryushu
Summary: perl new security issue CVE-2016-1238 => perl new security issue CVE-2016-1238 CVE-2017-6512
(In reply to Zombie Ryushu from comment #16) > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3873-1 security@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > June 05, 2017 https://www.debian.org/security/faq > - ------------------------------------------------------------------------- It's more useful to provide a link to the DSA rather than copy-paste the entire contents: https://www.debian.org/security/2017/dsa-3873 This also affects perl-File-Path.
Whiteboard: (none) => MGA5TOOVersion: 5 => CauldronSummary: perl new security issue CVE-2016-1238 CVE-2017-6512 => perl new security issues CVE-2016-1238 and CVE-2017-6512
(In reply to David Walser from comment #17) > (In reply to Zombie Ryushu from comment #16) > > - ------------------------------------------------------------------------- > > Debian Security Advisory DSA-3873-1 security@debian.org > > https://www.debian.org/security/ Salvatore Bonaccorso > > June 05, 2017 https://www.debian.org/security/faq > > - ------------------------------------------------------------------------- > > It's more useful to provide a link to the DSA rather than copy-paste the > entire contents: > https://www.debian.org/security/2017/dsa-3873 > > This also affects perl-File-Path. In mga6 this should be fixed in %mkrel 3 of perl, which I tested locally to be fine. It needs to be freeze pushed.
(In reply to Shlomi Fish from comment #18) > (In reply to David Walser from comment #17) > > (In reply to Zombie Ryushu from comment #16) > > > - ------------------------------------------------------------------------- > > > Debian Security Advisory DSA-3873-1 security@debian.org > > > https://www.debian.org/security/ Salvatore Bonaccorso > > > June 05, 2017 https://www.debian.org/security/faq > > > - ------------------------------------------------------------------------- > > > > It's more useful to provide a link to the DSA rather than copy-paste the > > entire contents: > > https://www.debian.org/security/2017/dsa-3873 > > > > This also affects perl-File-Path. > > In mga6 this should be fixed in %mkrel 3 of perl, which I tested locally to > be fine. It needs to be freeze pushed. perl-File-Path upgraded to 2.13 in mga6. also needs to be pushed.
Thanks Shlomi!
Depends on: (none) => 21752
Luigi12: how should the perl package be updated in mga5 here - https://bugs.mageia.org/show_bug.cgi?id=19051 ?
(In reply to Shlomi Fish from comment #21) > Luigi12: how should the perl package be updated in mga5 here - > https://bugs.mageia.org/show_bug.cgi?id=19051 ? The separate module packages in Comment 2 need to be patched for CVE-2016-1238 and perl-File-Path (Comment 17) needs to be patched for CVE-2017-6512.
Current status: perl-libintl-perl - still needed perl-MIME-Charset - still needed perl-MIME-EncWords - still needed perl-Module-Build-0.421.0-5.1.mga5 - built by Shlomi perl-Module-Load-Conditional-0.680.0-1.mga5 - built by Nicolas perl-Net-DNS - still needed (update attempt by Shlomi didn't build) perl-Sys-Syslog-0.330.0-7.1.mga5 - built by Shlomi perl-Unicode-LineBreak - still needed perl-File-Path - still needed
Saving the draft of the advisory for later as we still wait to get the remaining modules fixed (which still need to be mentioned in the advisory). Advisory: ======================== Updated perl packages fix security vulnerabilities: John Lightsey and Todd Rinaldo reported that the opportunistic loading of optional modules can make many programs unintentionally load code from the current working directory (which might be changed to another directory without the user realising) and potentially leading to privilege escalation (CVE-2016-1238). The cPanel Security Team reported a time of check to time of use (TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take advantage of this flaw to set the mode on an attacker-chosen file to a attacker-chosen value (CVE-2017-6512). Jakub Wilk reported a heap buffer overflow flaw in the regular expression compiler, allowing a remote attacker to cause a denial of service via a specially crafted regular expression with the case-insensitive modifier (CVE-2017-12837). Jakub Wilk reported a buffer over-read flaw in the regular expression parser, allowing a remote attacker to cause a denial of service or information leak (CVE-2017-12883). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12883 https://www.debian.org/security/2016/dsa-3628 https://www.debian.org/security/2017/dsa-3873 https://www.debian.org/security/2017/dsa-3982 ======================== Updated packages in core/updates_testing: ======================== perl-5.20.1-8.7.mga5 perl-base-5.20.1-8.7.mga5 perl-devel-5.20.1-8.7.mga5 perl-doc-5.20.1-8.7.mga5 perl-Module-Build-0.421.0-5.1.mga5 perl-Module-Load-Conditional-0.680.0-1.mga5 perl-Sys-Syslog-0.330.0-7.1.mga5 from SRPMS: perl-5.20.1-8.7.mga5.src.rpm.src.rpm perl-Module-Build-0.421.0-5.1.mga5.src.rpm perl-Module-Load-Conditional-0.680.0-1.mga5.src.rpm perl-Sys-Syslog-0.330.0-7.1.mga5.src.rpm
Advisory: ======================== Updated perl packages fix security vulnerabilities: John Lightsey and Todd Rinaldo reported that the opportunistic loading of optional modules can make many programs unintentionally load code from the current working directory (which might be changed to another directory without the user realising) and potentially leading to privilege escalation (CVE-2016-1238). The cPanel Security Team reported a time of check to time of use (TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take advantage of this flaw to set the mode on an attacker-chosen file to a attacker-chosen value (CVE-2017-6512). Jakub Wilk reported a heap buffer overflow flaw in the regular expression compiler, allowing a remote attacker to cause a denial of service via a specially crafted regular expression with the case-insensitive modifier (CVE-2017-12837). Jakub Wilk reported a buffer over-read flaw in the regular expression parser, allowing a remote attacker to cause a denial of service or information leak (CVE-2017-12883). The perl-libintl-perl, perl-MIME-Charset, perl-MIME-EncWords, perl-Module-Build, perl-Sys-Syslog, and perl-Unicode-LineBreak packages have been patched and the perl-Module-Load-Conditional and perl-Net-DNS packages have been updated to fix CVE-2016-1238 as well. The perl-File-Path package has also been patched to fix CVE-2017-6512. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12883 https://www.debian.org/security/2016/dsa-3628 https://www.debian.org/security/2017/dsa-3873 https://www.debian.org/security/2017/dsa-3982 ======================== Updated packages in core/updates_testing: ======================== perl-5.20.1-8.7.mga5 perl-base-5.20.1-8.7.mga5 perl-devel-5.20.1-8.7.mga5 perl-doc-5.20.1-8.7.mga5 perl-libintl-perl-1.230.0-6.1.mga5 perl-MIME-Charset-1.11.1-4.1.mga5 perl-MIME-EncWords-1.14.2-4.1.mga5 perl-Module-Build-0.421.0-5.1.mga5 perl-Module-Load-Conditional-0.680.0-1.mga5 perl-Net-DNS-1.90.0-0.mga5 perl-Sys-Syslog-0.330.0-7.1.mga5 perl-Unicode-LineBreak-2014.60.0-5.1.mga5 perl-File-Path-2.90.0-4.1.mga5 from SRPMS: perl-5.20.1-8.7.mga5.src.rpm.src.rpm perl-libintl-perl-1.230.0-6.1.mga5.src.rpm perl-MIME-Charset-1.11.1-4.1.mga5.src.rpm perl-MIME-EncWords-1.14.2-4.1.mga5.src.rpm perl-Module-Build-0.421.0-5.1.mga5.src.rpm perl-Module-Load-Conditional-0.680.0-1.mga5.src.rpm perl-Net-DNS-1.90.0-0.mga5.src.rpm perl-Sys-Syslog-0.330.0-7.1.mga5.src.rpm perl-Unicode-LineBreak-2014.60.0-5.1.mga5.src.rpm perl-File-Path-2.90.0-4.1.mga5.src.rpm
Assignee: jquelin => qa-bugs
Mageia 5 :: x86_64 Installed any missing packages then updated them using MageiaUpdate. The only QA test available involved creating a database and may not have been relevant to this update. I did not get very far with it anyway. It is difficult to see how to test this set of packages in such a way as to be sure all the patches have been covered. Looking at the CVEs it looks likely that anything relevant will be in the basic perl packages so maybe all we can do is run some perl scripts. I have no perl skills so I used an existing script on this system to exercize perl. $ perl labelnation.pl -l -t Avery-5261 -i brillig This created labelnation.ps containing a 2x10 set of labels using the text in the file indicated. Viewed using gs. Leaving this hanging in case anybody has any suggestions about a more complete set of tests.
CC: (none) => tarazed25
Mostly just testing that various parts of mcc work, including rpmdrake to ensure network access, etc., works. Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA5-64-OK MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0047.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED