Bug 19168 - perl-CGI-Emulate-PSGI new "httpoxy" security issue (CVE-2016-5387)
Summary: perl-CGI-Emulate-PSGI new "httpoxy" security issue (CVE-2016-5387)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/694861/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-08-09 20:41 CEST by David Walser
Modified: 2017-05-26 08:55 CEST (History)
5 users (show)

See Also:
Source RPM: perl-CGI-Emulate-PSGI-0.210.0-3.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-08-09 20:41:27 CEST
Fedora has issued an advisory on August 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/

The security issue is related to the "httpoxy" set of flaws.

The issue is fixed in 0.22.
David Walser 2016-08-09 20:41:55 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-11-17 03:03:29 CET
Fixed in Cauldron by Guillaume (thanks!).

Whiteboard: MGA5TOO => (none)
Summary: perl-CGI-Emulate-PSGI new "httpoxy" security issue => perl-CGI-Emulate-PSGI new "httpoxy" security issue (CVE-2016-5387)
Version: Cauldron => 5
CC: (none) => guillomovitch

Comment 2 Sander Lepik 2017-05-12 17:07:16 CEST
I have uploaded a patched package for Mageia 5.

I don't know how to test this, but I have confirmad that the patch is applied.

Suggested advisory:
========================

This update removes the setting of the HTTP_PROXY environment value. This works around the httproxy vulnerability (aka CVE-2016-5387)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/
========================

Updated packages in core/updates_testing:
========================
perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5

Source RPM:
perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5.src.rpm

Assignee: mageia => qa-bugs

Comment 3 Herman Viaene 2017-05-18 10:30:27 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues.
# urpmq --whatrequires perl-CGI-Emulate-PSGI
perl-CGI-Emulate-PSGI
perl-CGI-Emulate-PSGI
perl-Plack
perl-Plack
rt
 
Installed rt, but seems a complex thing to test.
At CLI:
# strace -o rttest.txt rt-setup-database --action init rttest
In order to create or update your RT database, this script needs to connect to your  mysql instance on localhost as root
Please specify that user's database password below. If the user has no database
password, just press return.

Password: 
Working with:
Type:	mysql
Host:	localhost
Name:	rt4
User:	rt_user
DBA:	root
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1.
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1.
Now creating a mysql database rt4 for RT.
Done.
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1.
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1.
Now populating database schema.
Done.

and then more
Now inserting database ACLs.
Granting access to rt_user@'localhost' on rt4.
Done.Now inserting RT core system objects.
Done.
Now inserting data.
Done inserting data.
Done.
with above warnings interspersed
But the trace file did not show any call to one of the elements of the test package.
At least nothing seems to broken by the installation.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 4 Lewis Smith 2017-05-18 20:11:15 CEST
Other test possibilities?
 $ urpmq --whatrequires-recursive perl-CGI-Emulate-PSGI | sort | uniq
 mga-mirrors
 perl-Catalyst-Action-RenderView
 ... then a long list of perl-... modules to
 perl-Twiggy
 rt

mga-mirrors - Mageia Mirrors management
    /usr/bin/check_mirror
    /usr/bin/mga_mirrors_cgi.pl
‎    /usr/bin/mga_mirrors_create.pl
‎    /usr/bin/mga_mirrors_fastcgi.pl
‎    /usr/bin/mga_mirrors_server.pl
‎    /usr/bin/mga_mirrors_test.pl
I shall investigate this, in hope. Installing mga-mirrors pulled in 77 pkgs, including the one in question.

CC: (none) => lewyssmith

Comment 5 Guillaume Rousse 2017-05-19 19:35:07 CEST
As for much perl libraries, there isn't any valid test procedure beside running dedicated unit tests during the build process (make test). Curiously, they are disabled in the spec file, I don't know why, but they work for me.

Just installing a web application that may eventually use it for some unknown purpose (remember: this is an automatic dependency computed by a code parser) doesn't have any added value here. All in all, just forget testing, you're losing your time.
Dave Hodgins 2017-05-19 19:38:46 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 6 Lewis Smith 2017-05-23 20:41:42 CEST
(In reply to Guillaume Rousse from comment #5)
> As for much perl libraries, there isn't any valid test procedure beside
> running dedicated unit tests during the build process (make test).
> Curiously, they are disabled in the spec file, I don't know why, but they
> work for me.
> 
> All in all, just forget testing, you're losing your time.
Gillaume: thank you for this helpful & frank advice!

M5x64
I had indeed wasted hours messing with the binaries noted in Comment 4,
 $ mga_mirrors_server.pl -help
being the only one worth looking at. Another one invites the installation of something from CPAN; DO NOT DO THAT - the consequences are dire.

 perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5
So I just went for a clean update, which it was; That will have to do.

Validating; advisory already registered.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-05-26 08:55:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0146.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.