Bug 23833 - php-pear-CAS new XSS security issue fixed upstream in 1.3.6
Summary: php-pear-CAS new XSS security issue fixed upstream in 1.3.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-11-09 18:32 CET by David Walser
Modified: 2018-11-15 23:05 CET (History)
8 users (show)

See Also:
Source RPM: php-pear-CAS-1.3.5-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-11-09 18:32:13 CET 
Fedora has issued an advisory today (November 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JEGEFJ7FLVRKHGLAE4DKVISLIWBWBFDW/

The issue is fixed upstream in 1.3.6.

Mageia 6 is also affected.
David Walser 2018-11-09 18:32:34 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-11-10 07:05:05 CET 
Assigning to the php stack maintainers, CC'ing two committers.

Assignee: bugsquad => php
CC: (none) => guillomovitch, mageia, marja11

Comment 2 Marc Krämer 2018-11-10 13:25:06 CET 
this package seems to have only one dep: fusiondirectory, which is maintained by ennael.
I'll push the new version.

CC: (none) => mageia
Assignee: php => mageia

Comment 3 Marc Krämer 2018-11-10 14:25:54 CET 
since this package was moved from pear to composer, there might be issues. Hopefully ennael can test his package if this still meets all requirements.

Suggested advisory:
========================

Updated php-pear-CAS packages fix security vulnerabilities:
A XSS vulnerabilities has been fixed for proxy mode.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JEGEFJ7FLVRKHGLAE4DKVISLIWBWBFDW/
========================

Updated packages in core/updates_testing:
========================
php-pear-CAS-1.3.6-1.mga6.noarch.rpm

SRPM:
php-pear-CAS-1.3.6-1.mga6.src.rpm

Assignee: mageia => qa-bugs

Thomas Backlund 2018-11-10 15:13:15 CET

CC: (none) => tmb
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 Herman Viaene 2018-11-14 11:51:57 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 20722 and bug 10136, I tried to install moodle, but there is no package (anymore?) with this name. Consulting rpmfind, it is in Fedora up to 29, but in Mageia last in Mageia 5
and
# urpmq --whatrequires php-pear-CAS
php-pear-CAS
So I would agree on a clean install. Is that acceptable???

CC: (none) => herman.viaene

Comment 5 David Walser 2018-11-14 15:01:38 CET 
Yes moodle was dropped.  Clean install/upgrade is sufficient here.
Herman Viaene 2018-11-14 15:21:05 CET

Whiteboard: (none) => MGA6-32-OK

Comment 6 Lewis Smith 2018-11-14 21:56:00 CET 
(In reply to David Walser from comment #5)
> Yes moodle was dropped.
This is drastic - a major application.

Trying M6 x64
I found a bit different from Herman:
$ urpmq --whatrequires php-pear-CAS | sort -u
fusiondirectory

$ urpmq --whatrequires-recursive php-pear-CAS | sort -u
fusiondirectory
fusiondirectory-database
+ loads of fusiondirectory-plugin-xxx

$ urpmq --whatrequires fusiondirectory | sort -u
fusiondirectory
fusiondirectory-database
fusiondirectory-plugin-xxx etc etc

This is enigmatic. Are we dealing with packages which are not used?

BEFORE update: installed: php-pear-CAS-1.3.5-1.mga6.noarch.rpm
which showed unusually:
 install ok: channel://__uri/CAS-1.3.5
AFTER painless update: php-pear-CAS-1.3.6-1.mga6

> Clean install/upgrade is sufficient here.
So OKing it, & validating. Advisory done from comment 3.

Keywords: (none) => advisory, validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 David Walser 2018-11-14 23:45:07 CET 
(In reply to Lewis Smith from comment #6)
> (In reply to David Walser from comment #5)
> > Yes moodle was dropped.
> This is drastic - a major application.

Nonsense.  It was yet another webapp that wasn't used by many and wasn't able to be maintained.  We've dropped plenty of others like that and need to continue to do that.  For Moodle, it was only packaged for us in Mageia 5, and it didn't even last the lifetime of it.  I ended support for the package two and a half years ago.  It was something that I packaged because I was using it at work, but it was a difficult and complicated package.  There was a third party regular expression plugin that I had bundled with it that we needed for grading some quiz questions that broke at times and I had to work with the upstream author to resolve those issues, so that was something that I always had to test when updating Moodle to a new branch, and the last major update I did, they removed the default theme which had been there for years and worked very well, and replaced it with one that was awful and very buggy, which forced me to then also bundle a third party theme that was the only one that didn't break any of our quizzes, so that was another thing that I needed to test every time it was updated, and once the contract I was working on ended, I didn't have the ability to test it anymore.

> This is enigmatic. Are we dealing with packages which are not used?

Probably, but your urpmq command won't help you determine that.  Applications like that are leaf packages and generally wouldn't be required by anything, that doesn't tell you anything about who is using it, but I've never heard anything about anyone using fusiondirectory (which doesn't mean nobody does, but probably very few do).
Comment 8 Mageia Robot 2018-11-15 23:05:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0452.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.