33029 – perl-Data-UUID new security issue CVE-2013-4184

Bug 33029 - perl-Data-UUID new security issue CVE-2013-4184

Summary: perl-Data-UUID new security issue CVE-2013-4184

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-03-29 11:09 CET by Nicolas Salguero
Modified:	2024-04-10 06:04 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	perl-Data-UUID-1.226.0-5.mga9.src.rpm
CVE:	CVE-2013-4184
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-29 11:09:12 CET

Fedora has issued an advisory on March 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATNG5VP46SXJB2JHAI2LXPUXCYUOYPE/

Nicolas Salguero 2024-03-29 11:09:49 CET

Source RPM: (none) => perl-Data-UUID-1.226.0-5.mga9.src.rpm
CVE: (none) => CVE-2013-4184
Status comment: (none) => Fixed upstream in 1.227

Comment 1 Lewis Smith 2024-03-31 21:16:47 CEST

Thierry has just put 1.227 in Cauldron; assigning to you for M9.

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Salguero 2024-04-03 15:21:52 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Perl module Data::UUID from CPAN version 1.219 vulnerable to symlink attacks. (CVE-2013-4184)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATNG5VP46SXJB2JHAI2LXPUXCYUOYPE/
========================

Updated package in core/updates_testing:
========================
perl-Data-UUID-1.227.0-1.mga9

from SRPM:
perl-Data-UUID-1.227.0-1.mga9.src.rpm

Status comment: Fixed upstream in 1.227 => (none)
Assignee: thierry.vignaud => qa-bugs
Status: NEW => ASSIGNED

katnatek 2024-04-03 19:38:52 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-04-08 17:35:40 CEST

MGA9-64 Plasma Wayland on HP-Pavillion.
No installation issues.
No previous updates, so
# urpmq --whatrequires perl-Data-UUID
gscan2pdf
gscan2pdf
perl-CHI
perl-DBIx-Class-UUIDColumns
perl-Data-GUID
and some more, so installed gscan2pdf and the sane stuff (gscan2pdf does not work without the latter)
and run
$ strace -o perluuid.txt gscan2pdf 
scan a page and check the trace file and I find a number of:
newfstatat(AT_FDCWD, "/usr/local/lib64/perl5/5.36/Data/UUID.pmc", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/lib64/perl5/5.36/Data/UUID.pm", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/share/perl5/5.36/Data/UUID.pmc", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/share/perl5/5.36/Data/UUID.pm", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib64/perl5/vendor_perl/Data/UUID.pmc", 0x7ffe1349ff60, 0) = -1 ENOENT (No such file or directory)
Should be enough as demo of wrking OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2024-04-08 19:36:25 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-04-10 06:04:50 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0117.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.