Bug 26655 - perl-Mojolicious new security issue fixed upstream in 8.42
Summary: perl-Mojolicious new security issue fixed upstream in 8.42
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-05-21 00:31 CEST by David Walser
Modified: 2020-05-30 23:33 CEST (History)
4 users (show)

See Also:
Source RPM: perl-Mojolicious-8.140.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments
Rudimentary server script for Mojolicious (338 bytes, application/x-perl)
2020-05-30 19:49 CEST, Len Lawrence
Details

Description David Walser 2020-05-21 00:31:05 CEST
Fedora has issued an advisory on May 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JBUG5I5NYLNO4I44N7J26C6RCVHX7M5Y/

The issue is fixed upstream in 8.42.
David Walser 2020-05-21 00:39:20 CEST

Status comment: (none) => Fixed upstream in 8.42

Comment 1 Nicolas Lécureuil 2020-05-22 01:16:14 CEST
Advisory:
This update fix a security issue that allowed for _method query parameters to be used with GET requests

References:
https://github.com/mojolicious/mojo/commit/3c1c99a7131a1419d8d355a6083c31a7f9ca7ba0

rpms:
perl-Mojolicious-8.140.0-1.mga7

From:
perl-Mojolicious-8.140.0-1.1.mga7

Assignee: thierry.vignaud => qa-bugs
Status comment: Fixed upstream in 8.42 => (none)
CC: (none) => mageia

Comment 2 Len Lawrence 2020-05-30 19:47:35 CEST
mga7, x86_64

Not competent to try reproducing this issue so tried utility tests, before updating.
Used a local gui wrapper for get_iplayer which appears in the list of whatrequires.
$ strace -o bbc.trace bbc
Downloaded a programme successfully.

$ grep get_iplayer bbc.trace
read(10, "344 /home/lcl/.get_iplayer/progr"..., 8192) = 38
chdir("/home/lcl/.get_iplayer/")        = 0
openat(AT_FDCWD, "/home/lcl/.get_iplayer/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 10
stat("get_iplayer", {st_mode=S_IFREG|0755, st_size=450710, ...}) = 0

$ grep GET bbc.trace
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fcntl(3, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(4, F_GETFL)                       = 0x1 (flags O_WRONLY)
fcntl(5, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(6, F_GETFL)                       = 0x1 (flags O_WRONLY)
fcntl(7, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
ioctl(7, TCGETS, 0x7ffe7b636ea0)        = -1 ENOTTY (Inappropriate ioctl for device)
....

Not even sure that perl-Mojolicious is being used.  Information on the web implies that it has something to do with a perl web framework.

https://perlmaven.com/getting-started-with-mojolicious-lite
    
Started with the minimal helloworld script:
    
$ morbo helloworld.pl
Server available at http://127.0.0.1:3000
[2020-05-30 17:49:08.32016] [17822] [debug] GET "/" (442e7771)
[2020-05-30 17:49:08.32080] [17822] [debug] 200 OK (0.00063s, 1587.302/s)

localhost:3000/ displays "Hello World" in a browser.
Tried localhost:3000/echo as well to display the error page reported online and the server shows this sort of thing:
[2020-05-30 17:53:48.48313] [17822] [debug] Template "not_found.html.ep" not found
[2020-05-30 17:53:48.48325] [17822] [debug] Rendering template "mojo/debug.html.ep"
[2020-05-30 17:53:48.50038] [17822] [debug] Your secret passphrase needs to be changed
[2020-05-30 17:53:48.50212] [17822] [debug] 404 Not Found (0.019721s, 50.707/s)

All as expected.

Modified the program - and ran it.
This showed and entry field followed by an 'echo' button.
Wrote a password into the box and clicked echo and up came the error page at Mojolicious with a little more information.  The server (in the terminal) reports a 404 error.

After a couple more modifications to the script, refreshing the web address posted the password enquiry and the echo button cleared all and echoed the password in the browser without restarting the server. 

A bit elementary but that is as far as it goes.

Updated the plugin.

$ morbo helloworld.pl
Server available at http://127.0.0.1:3000
[2020-05-30 18:45:16.35103] [26927] [debug] GET "/echo" (5710c1b9)
[2020-05-30 18:45:16.35169] [26927] [debug] 200 OK (0.000672s, 1488.095/s)
[2020-05-30 18:45:29.84174] [26927] [debug] POST "/echo" (5dd0fde2)
[2020-05-30 18:45:29.84203] [26927] [debug] Routing to a callback
[2020-05-30 18:45:29.84230] [26927] [debug] 200 OK (0.000552s, 1811.594/s)

The pasword and echo button functioned fine at localhost:3000/echo

This will have to do at our end.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 3 Len Lawrence 2020-05-30 19:49:05 CEST
Created attachment 11669 [details]
Rudimentary server script for Mojolicious
Comment 4 Thomas Andrews 2020-05-30 23:33:11 CEST
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.