Assigning to the registered perl-Catalyst-Plugin-Static-Simple maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Hi.

Updated RPMs pushed to updates_testing for MGA5 and MGA6.

perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5
perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6

CC: (none) => smelror

Advisory:
========================

Updated perl-Catalyst-Plugin-Static-Simple package fixes security vulnerability:

The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote
attackers to read arbitrary files if there is a '.' character anywhere in the
pathname, which differs from the intended policy of allowing access only when
the filename itself has a '.' character (CVE-2017-16248).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16248
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQDGCD7A4CTB5OSIWPDU522DPCUK6W6P/
========================

Updated packages in core/updates_testing:
========================
perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5
perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6

from SRPMS:
perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5.src.rpm
perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Looking at M6/64

$ urpmq --whatrequires-recursive perl-Catalyst-Plugin-Static-Simple
mga-mirrors                              "Mageia Mirrors management"
+ various perl-somethings.

mga-mirrors (I was surprised to have to install it, pulled in >60 pkgs) includes the following programs (+  a few backends):
 /usr/bin/check_mirror            [No man page or -h help]
 /usr/bin/mga_mirrors_server.pl   Catalyst Testserver
 /usr/bin/mga_mirrors_test.pl     Catalyst Test

 /var/www/cgi-bin/mga_mirrors_cgi.pl

/usr/share/doc/mga-mirrors/README [from 2011] says just:
"Run script/mga_mirrors_server.pl to test the application."

$ mga_mirrors_server.pl
You are loading Catalyst::Engine::HTTP explicitly.
This is almost certainly a bad idea, as Catalyst::Engine::HTTP
has been removed in this version of Catalyst.
Please update your application's scripts with:
  catalyst.pl -force -scripts MyApp
to update your scripts to not do this.
Failed to open /etc/mga-mirrors.ini: Permission denied at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 18.
Couldn't instantiate component "MGA::Mirrors::Model::Mirrors", "Can't bless non-reference value at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/Model/Mirrors.pm line 28."Compilation failed in require at /usr/bin/mga_mirrors_server.pl line 66.

$ mga_mirrors_test.pl
Failed to open /etc/mga-mirrors.ini: Permission denied at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 18.
Couldn't instantiate component "MGA::Mirrors::Model::Mirrors", "Can't bless non-reference value at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Test.pm line 155.
BEGIN failed--compilation aborted at /usr/bin/mga_mirrors_test.pl line 9.

# check_mirror
DBI connect('host=pgsql;dbname=mirrors','mirrors',...) failed: could not translate host name "pgsql" to address: Name or service not known at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 51.
Can't call method "prepare" on an undefined value at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 225.

Where this got "pgsql" [Postgres] from...
Clearly we need some advice to try this path; unless there is another.
---------------------------------------------------------------------
 The actual bug is clear enough:
"The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a '.' character anywhere in the pathname, which differs from the intended policy of allowing access only when the filename itself has a '.' character."
 and the one-line correction to lib/Catalyst/Plugin/Static/Simple.pm in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880458
-    if ( $path =~ /.*\.(\S{1,})$/xms ) {
+    if ( $path =~ /\.([^\/\\]+)$/m ) {
explained:
"instead of matching one or more non-space characters between a 
dot (including "/") and the end of the path, match one or more characters 
different from "/" and "\" between a dot and the end of the path."

I would be prepared to let this out just on this basis if we can show this change is in the update.

CC: (none) => lewyssmith

Another go M6/64

# mga_mirrors_test.pl       [better]
MGA::Mirrors::View::GraphViz is using the deprecated Catalyst::Base, update your application as this will be removed in the next major release at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Base.pm line 7.
Usage:
    mga_mirrors_test.pl [options] uri
     Examples:
       mga_mirrors_test.pl http://localhost/some_action
       mga_mirrors_test.pl /some_action
     See also:
       perldoc Catalyst::Manual
       perldoc Catalyst::Manual::Intro

# mga_mirrors_server.pl     [similar to above]
You are loading Catalyst::Engine::HTTP explicitly.
This is almost certainly a bad idea, as Catalyst::Engine::HTTP
has been removed in this version of Catalyst.
Please update your application's scripts with:
  catalyst.pl -force -scripts MyApp
to update your scripts to not do this.
MGA::Mirrors::View::GraphViz is using the deprecated Catalyst::Base, update your application as this will be removed in the next major release at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Base.pm line 7.
failed to listen to port 8080: Address already in use at /usr/lib/perl5/vendor_perl/5.22.2/HTTP/Server/PSGI.pm line 94.

Testing M6/64 empirically

Since the correction is Perl semantic, I tried the change independantly. It should show its efficacity anyway.

BEFORE the regular expression update:
 $ perl -e '$x = "dir.name/file.sfx"; if ($x =~ /.*\.(\S{1,})$/xms) {print $& };'
dir.name/file.sfx
Shows the error (suffix taken as the entire pathname).

AFTER the regular expression update:
 $ perl -e '$x = "dir.name/file.sfx"; if ($x =~ /\.([^\/\\]+)$/m) {print $& };'
.sfx
Shows the correct result (suffix only).

After applying the update, the results were (of course) the same.
> I would be prepared to let this out just on this basis if we can show this
> change is in the update.
Seconded.

MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
I haven't a clue what those commands are about in Comment 6. Do those commands go on one line? Whatever I try, all I get is a ">" prompt.

CC: (none) => herman.viaene

@Lewis, re comment 6.
Great sideways thinking man.
I had looked at this offline some time ago but got nowhere.  Your suggestion is what Claire recommended on another bug - diff the source code to see that the patch had been applied.  Cannot remember how  but it probably requires a git checkout of the relevant sources for a start.  Not going to be around today but shall chase it up tomorrow.

CC: (none) => tarazed25

@Herman re comment 7.
The commands do work.
It helps to stretch the width of your terminal to accommodate the whole string.
The commands are simply running a line of perl code using the -e switch.
If you copy the inline commands to a file it still works:

test.pl contains the second example from comment 6.

$x = "dir.name/file.sfx";
if ($x =~ /\.([^\/\\]+)$/m) {print $& };

$ perl test.pl
.sfx$

I got confused, I suspected the commands in Comment 6 had an overflow to the next line.
But I can confirm they work as explained above.
@Lewis
If you decide that your 64 testing is OK, please then fill the OK for 32 as well.

@Lewis.  re comment 6.  Correction, Claire passed on some advice in a thread on QAD.  You click the RPM field on madb against the particular update which takes you to a page where you can select the relevant source RPM and click on [diff] which should display the changes between pre and post updates.  It does not work very well in practice at the moment - just goes into an endless "connecting" loop.  The server must be busy.

It connected eventually and output a couple of lines.

One was something about a unified diff but displayed nothing.
Not sure what to make of that.

I have asked Claire to take a look. Watch out, update!

Since http://madb.mageia.org/rpm/diff/application/0/name/perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5.noarch.rpm/source/0/release/5/arch/i586/t_media/5
is not responding, I downloaded both of the srpms.

Installed the first one, renamed /root/rpmbuild to /root/rpmbuild320.
Installed the first one, renamed /root/rpmbuild to /root/rpmbuild340.

Expanded the two source files with tar -xf, then used kdiff3 to compare
the files from both srpms.

Confirmed the expected change is in lib/Catalyst/Plugin/Static/Simple.pm

Repeated for Mageia 6, with 330 for the release version.

Validating the update.

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0439.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED