Bug 26655 - perl-Mojolicious new security issue fixed upstream in 8.42
Summary: perl-Mojolicious new security issue fixed upstream in 8.42
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-05-21 00:31 CEST by David Walser
Modified: 2020-06-11 00:58 CEST (History)
4 users (show)

See Also:
Source RPM: perl-Mojolicious-8.140.0-1.mga7.src.rpm
Status comment:

Rudimentary server script for Mojolicious (338 bytes, application/x-perl)
2020-05-30 19:49 CEST, Len Lawrence

Description David Walser 2020-05-21 00:31:05 CEST
Fedora has issued an advisory on May 19:

The issue is fixed upstream in 8.42.
David Walser 2020-05-21 00:39:20 CEST

Status comment: (none) => Fixed upstream in 8.42

Comment 1 Nicolas Lécureuil 2020-05-22 01:16:14 CEST
This update fix a security issue that allowed for _method query parameters to be used with GET requests




Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia
Status comment: Fixed upstream in 8.42 => (none)

Comment 2 Len Lawrence 2020-05-30 19:47:35 CEST
mga7, x86_64

Not competent to try reproducing this issue so tried utility tests, before updating.
Used a local gui wrapper for get_iplayer which appears in the list of whatrequires.
$ strace -o bbc.trace bbc
Downloaded a programme successfully.

$ grep get_iplayer bbc.trace
read(10, "344 /home/lcl/.get_iplayer/progr"..., 8192) = 38
chdir("/home/lcl/.get_iplayer/")        = 0
openat(AT_FDCWD, "/home/lcl/.get_iplayer/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 10
stat("get_iplayer", {st_mode=S_IFREG|0755, st_size=450710, ...}) = 0

$ grep GET bbc.trace
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fcntl(3, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(4, F_GETFL)                       = 0x1 (flags O_WRONLY)
fcntl(5, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(6, F_GETFL)                       = 0x1 (flags O_WRONLY)
fcntl(7, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
ioctl(7, TCGETS, 0x7ffe7b636ea0)        = -1 ENOTTY (Inappropriate ioctl for device)

Not even sure that perl-Mojolicious is being used.  Information on the web implies that it has something to do with a perl web framework.

Started with the minimal helloworld script:
$ morbo helloworld.pl
Server available at
[2020-05-30 17:49:08.32016] [17822] [debug] GET "/" (442e7771)
[2020-05-30 17:49:08.32080] [17822] [debug] 200 OK (0.00063s, 1587.302/s)

localhost:3000/ displays "Hello World" in a browser.
Tried localhost:3000/echo as well to display the error page reported online and the server shows this sort of thing:
[2020-05-30 17:53:48.48313] [17822] [debug] Template "not_found.html.ep" not found
[2020-05-30 17:53:48.48325] [17822] [debug] Rendering template "mojo/debug.html.ep"
[2020-05-30 17:53:48.50038] [17822] [debug] Your secret passphrase needs to be changed
[2020-05-30 17:53:48.50212] [17822] [debug] 404 Not Found (0.019721s, 50.707/s)

All as expected.

Modified the program - and ran it.
This showed and entry field followed by an 'echo' button.
Wrote a password into the box and clicked echo and up came the error page at Mojolicious with a little more information.  The server (in the terminal) reports a 404 error.

After a couple more modifications to the script, refreshing the web address posted the password enquiry and the echo button cleared all and echoed the password in the browser without restarting the server. 

A bit elementary but that is as far as it goes.

Updated the plugin.

$ morbo helloworld.pl
Server available at
[2020-05-30 18:45:16.35103] [26927] [debug] GET "/echo" (5710c1b9)
[2020-05-30 18:45:16.35169] [26927] [debug] 200 OK (0.000672s, 1488.095/s)
[2020-05-30 18:45:29.84174] [26927] [debug] POST "/echo" (5dd0fde2)
[2020-05-30 18:45:29.84203] [26927] [debug] Routing to a callback
[2020-05-30 18:45:29.84230] [26927] [debug] 200 OK (0.000552s, 1811.594/s)

The pasword and echo button functioned fine at localhost:3000/echo

This will have to do at our end.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 3 Len Lawrence 2020-05-30 19:49:05 CEST
Created attachment 11669 [details]
Rudimentary server script for Mojolicious
Comment 4 Thomas Andrews 2020-05-30 23:33:11 CEST
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-06-11 00:04:10 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-06-11 00:58:13 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.