Bug 31666 - perl-Cpanel-JSON-XS new security issue fixed upstream in 4.34
Summary: perl-Cpanel-JSON-XS new security issue fixed upstream in 4.34
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-14 02:05 CET by David Walser
Modified: 2023-03-31 02:15 CEST (History)
5 users (show)

See Also:
Source RPM: perl-Cpanel-JSON-XS-4.250.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-03-14 02:05:02 CET
Fedora has issued an advisory on March 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSD3O3LQSW7QZLM33RFCIW3TFNXLB7QD/

The updated to 4.35 with an additional bug fix (it would be good to update Cauldron).
David Walser 2023-03-14 02:05:15 CET

Status comment: (none) => Fixed upstream in 4.34

Comment 1 Lewis Smith 2023-03-14 20:18:15 CET
Cauldron already has 4.34, but note Luigi's remark about 4.35.
Assigning to tv who did the 4.34 (& earlier) update[s).

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Salguero 2023-03-17 14:48:42 CET
Suggested advisory:
========================

The updated package fixes some bugs including a security vulnerability:

Decoding hash keys without ending ':'.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CSD3O3LQSW7QZLM33RFCIW3TFNXLB7QD/
========================

Updated package in core/updates_testing:
========================
perl-Cpanel-JSON-XS-4.350.0-1.mga8

from SRPM:
perl-Cpanel-JSON-XS-4.350.0-1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 4.34 => (none)
Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs

Comment 3 David Walser 2023-03-17 17:15:36 CET
Note that this is still pending a freeze move in Cauldron.
Comment 4 Len Lawrence 2023-03-25 20:44:09 CET
Mageia8, x86_64
$ urpmq --whatrequires perl-Cpanel-JSON-XS
perl-App-SerializeUtils
perl-Cpanel-JSON-XS
perl-Search-Elasticsearch

There is also a user tool cpanel_json_xs.
cpanel_json_xs [-v] [-f inputformat] [-t outputformat]
Picked a configuration file at random from Stellarium data:
$ cpanel_json_xs <defaultStarsConfig.json >testfile
The conversion was effected but as is usual with JSON data you have to look closely in some places to see it.
$ cat defaultStarsConfig.json 
{
	"version": 12,
	"hipSpectralFile": "stars_hip_sp_0v0_4.cat",
[...]
			"url": "https://github.com/Stellarium/stellarium-data/releases/download/stars-2.0/stars_8_2v0_1.cat",
			"checksum": "9e2e362022824c60d7e4d94ef8c3af12",
			"checked": false
		}
	]
}
$ cat testfile
{
   "catalogs" : [
      {
         "checked" : true,
         "checksum" : "f29bcdca4ef0e945988ff609f7fa9e6a",
[...]
         "sizeMb" : 534,
         "url" : "https://github.com/Stellarium/stellarium-data/releases/download/stars-2.0/stars_8_2v0_1.cat"
      }
   ],
   "hipComponentsIdsFile" : "stars_hip_cids_0v0_0.cat",
   "hipSpectralFile" : "stars_hip_sp_0v0_4.cat",
   "version" : 12
}

Updated from version 4.250.
Removed testfile and ran the same command.
testfile looked identical to the earlier one.

A bit late in the day tested the security issue by removing two of the : characters from hash keys in the firstwo stanzas of the catalog section.
		{
			"id": "stars0",
			"fileName": "stars_0_0v0_8.cat",
	->		"count" 0.005,
			"magRange": [-2, 6],
			"sizeMb": 0.1,
			"checksum": "f29bcdca4ef0e945988ff609f7fa9e6a",
			"checked": true
		},
		{
			"id": "stars1",
			"fileName": "stars_1_0v0_8.cat",
			"count": 0.022,
	->		"magRange" [6, 7.5],
			"sizeMb": 0.6,
			"checksum": "cdffa5b38b1de9eb53272176921861d2",
			"checked": true
		},

Running the command again produced an error.
$ cpanel_json_xs <defaultStarsConfig.json >testfile2 
':' expected, at character offset 203 (before "0.005,\n\t\t\t"magRa...") at /usr/bin/cpanel_json_xs line 219, <STDIN> line 1.

Giving this an OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-03-26 17:29:30 CEST
Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-29 15:39:17 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-03-31 02:15:04 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0119.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.