Fedora has issued an advisory on November 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQDGCD7A4CTB5OSIWPDU522DPCUK6W6P/ Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered perl-Catalyst-Plugin-Static-Simple maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Hi. Updated RPMs pushed to updates_testing for MGA5 and MGA6. perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5 perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6
CC: (none) => smelror
Advisory: ======================== Updated perl-Catalyst-Plugin-Static-Simple package fixes security vulnerability: The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a '.' character anywhere in the pathname, which differs from the intended policy of allowing access only when the filename itself has a '.' character (CVE-2017-16248). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16248 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQDGCD7A4CTB5OSIWPDU522DPCUK6W6P/ ======================== Updated packages in core/updates_testing: ======================== perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5 perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6 from SRPMS: perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5.src.rpm perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga6.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Looking at M6/64 $ urpmq --whatrequires-recursive perl-Catalyst-Plugin-Static-Simple mga-mirrors "Mageia Mirrors management" + various perl-somethings. mga-mirrors (I was surprised to have to install it, pulled in >60 pkgs) includes the following programs (+ a few backends): /usr/bin/check_mirror [No man page or -h help] /usr/bin/mga_mirrors_server.pl Catalyst Testserver /usr/bin/mga_mirrors_test.pl Catalyst Test /var/www/cgi-bin/mga_mirrors_cgi.pl /usr/share/doc/mga-mirrors/README [from 2011] says just: "Run script/mga_mirrors_server.pl to test the application." $ mga_mirrors_server.pl You are loading Catalyst::Engine::HTTP explicitly. This is almost certainly a bad idea, as Catalyst::Engine::HTTP has been removed in this version of Catalyst. Please update your application's scripts with: catalyst.pl -force -scripts MyApp to update your scripts to not do this. Failed to open /etc/mga-mirrors.ini: Permission denied at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 18. Couldn't instantiate component "MGA::Mirrors::Model::Mirrors", "Can't bless non-reference value at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/Model/Mirrors.pm line 28."Compilation failed in require at /usr/bin/mga_mirrors_server.pl line 66. $ mga_mirrors_test.pl Failed to open /etc/mga-mirrors.ini: Permission denied at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 18. Couldn't instantiate component "MGA::Mirrors::Model::Mirrors", "Can't bless non-reference value at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Test.pm line 155. BEGIN failed--compilation aborted at /usr/bin/mga_mirrors_test.pl line 9. # check_mirror DBI connect('host=pgsql;dbname=mirrors','mirrors',...) failed: could not translate host name "pgsql" to address: Name or service not known at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 51. Can't call method "prepare" on an undefined value at /usr/lib/perl5/vendor_perl/5.22.2/MGA/Mirrors/DB.pm line 225. Where this got "pgsql" [Postgres] from... Clearly we need some advice to try this path; unless there is another. --------------------------------------------------------------------- The actual bug is clear enough: "The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a '.' character anywhere in the pathname, which differs from the intended policy of allowing access only when the filename itself has a '.' character." and the one-line correction to lib/Catalyst/Plugin/Static/Simple.pm in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880458 - if ( $path =~ /.*\.(\S{1,})$/xms ) { + if ( $path =~ /\.([^\/\\]+)$/m ) { explained: "instead of matching one or more non-space characters between a dot (including "/") and the end of the path, match one or more characters different from "/" and "\" between a dot and the end of the path." I would be prepared to let this out just on this basis if we can show this change is in the update.
CC: (none) => lewyssmith
Another go M6/64 # mga_mirrors_test.pl [better] MGA::Mirrors::View::GraphViz is using the deprecated Catalyst::Base, update your application as this will be removed in the next major release at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Base.pm line 7. Usage: mga_mirrors_test.pl [options] uri Examples: mga_mirrors_test.pl http://localhost/some_action mga_mirrors_test.pl /some_action See also: perldoc Catalyst::Manual perldoc Catalyst::Manual::Intro # mga_mirrors_server.pl [similar to above] You are loading Catalyst::Engine::HTTP explicitly. This is almost certainly a bad idea, as Catalyst::Engine::HTTP has been removed in this version of Catalyst. Please update your application's scripts with: catalyst.pl -force -scripts MyApp to update your scripts to not do this. MGA::Mirrors::View::GraphViz is using the deprecated Catalyst::Base, update your application as this will be removed in the next major release at /usr/lib/perl5/vendor_perl/5.22.2/Catalyst/Base.pm line 7. failed to listen to port 8080: Address already in use at /usr/lib/perl5/vendor_perl/5.22.2/HTTP/Server/PSGI.pm line 94.
Testing M6/64 empirically Since the correction is Perl semantic, I tried the change independantly. It should show its efficacity anyway. BEFORE the regular expression update: $ perl -e '$x = "dir.name/file.sfx"; if ($x =~ /.*\.(\S{1,})$/xms) {print $& };' dir.name/file.sfx Shows the error (suffix taken as the entire pathname). AFTER the regular expression update: $ perl -e '$x = "dir.name/file.sfx"; if ($x =~ /\.([^\/\\]+)$/m) {print $& };' .sfx Shows the correct result (suffix only). After applying the update, the results were (of course) the same. > I would be prepared to let this out just on this basis if we can show this > change is in the update. Seconded.
Keywords: (none) => advisory
MGA5-32 on Dell Latitude D600 Xfce No installation issues. I haven't a clue what those commands are about in Comment 6. Do those commands go on one line? Whatever I try, all I get is a ">" prompt.
CC: (none) => herman.viaene
@Lewis, re comment 6. Great sideways thinking man. I had looked at this offline some time ago but got nowhere. Your suggestion is what Claire recommended on another bug - diff the source code to see that the patch had been applied. Cannot remember how but it probably requires a git checkout of the relevant sources for a start. Not going to be around today but shall chase it up tomorrow.
CC: (none) => tarazed25
@Herman re comment 7. The commands do work. It helps to stretch the width of your terminal to accommodate the whole string. The commands are simply running a line of perl code using the -e switch. If you copy the inline commands to a file it still works: test.pl contains the second example from comment 6. $x = "dir.name/file.sfx"; if ($x =~ /\.([^\/\\]+)$/m) {print $& }; $ perl test.pl .sfx$
I got confused, I suspected the commands in Comment 6 had an overflow to the next line. But I can confirm they work as explained above. @Lewis If you decide that your 64 testing is OK, please then fill the OK for 32 as well.
@Lewis. re comment 6. Correction, Claire passed on some advice in a thread on QAD. You click the RPM field on madb against the particular update which takes you to a page where you can select the relevant source RPM and click on [diff] which should display the changes between pre and post updates. It does not work very well in practice at the moment - just goes into an endless "connecting" loop. The server must be busy.
It connected eventually and output a couple of lines. One was something about a unified diff but displayed nothing. Not sure what to make of that.
I have asked Claire to take a look. Watch out, update!
Since http://madb.mageia.org/rpm/diff/application/0/name/perl-Catalyst-Plugin-Static-Simple-0.340.0-1.mga5.noarch.rpm/source/0/release/5/arch/i586/t_media/5 is not responding, I downloaded both of the srpms. Installed the first one, renamed /root/rpmbuild to /root/rpmbuild320. Installed the first one, renamed /root/rpmbuild to /root/rpmbuild340. Expanded the two source files with tar -xf, then used kdiff3 to compare the files from both srpms. Confirmed the expected change is in lib/Catalyst/Plugin/Static/Simple.pm Repeated for Mageia 6, with 330 for the release version. Validating the update.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0439.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED