due to the fact that cauldron was frozen for a very long time, available patch will not apply cleanly.

i propose to update to latest version which fixes the problem.

but i need svn to be branched for that... should happen soon.

shlomi, as upstream author of config::inifiles, do you think we should backport the patch, or is an update to 2.73 ok api-wise?

CC: (none) => shlomif

Hi Jerome,

(In reply to comment #2)
> shlomi, as upstream author of config::inifiles, do you think we should backport
> the patch, or is an update to 2.73 ok api-wise?

I didn't intentionally break the API, but since I've done a lot of extensive refactoring and cleanup, it is possible that some bugs were introduced, which were not caught by the test suite. I think upgrading to 2.73 should be OK.

Regards,

-- Shlomi Fish

updated in cauldron & pushed in mageia 2 core/updates_testing.

please test and push to mageia2 updates

Assignee: bugsquad => qa-bugs

Jerome, could you please push an update for Mageia 1 as well?

In the meantime, here's an advisory.

Advisory:
========================

Updated perl-Config-IniFiles package fixes security vulnerability:

perl-Config-IniFiles used a predicatable temporary file name (${filename}-new) which
makes it prone to a symlink attack.  If a malicious user were to create a symlink
pointing to another file writable by the user running an application that used
perl-Config-IniFiles, they could overwrite the contents of that file (CVE-2012-2451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2451
https://bugzilla.redhat.com/show_bug.cgi?id=818386
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080716.html

For recreating the bug, I've found that genhdlist2 uses this package.

Contrary to the advisory, running it under strace, after adding a
package to the directory, it uses synthesis.hdlist.cz.tmp and
hdlist.cz.tmp, not $file.new.  This is using Magiea 1 i586.

I'll be setting up my minimal Mageia 2 test environment tomorrow.

CC: (none) => davidwhodgins

update available in mageia 1 core/updates_testing

Thanks Jerome.

Dave, the Mageia 1 update wasn't available yet when you tested.

I didn't post the packages to test with the advisory, so here goes.

Advisory:
========================

Updated perl-Config-IniFiles package fixes security vulnerability:

perl-Config-IniFiles used a predicatable temporary file name
(${filename}-new) which makes it prone to a symlink attack.  If a
malicious user were to create a symlink pointing to another file
writable by the user running an application that used
perl-Config-IniFiles, they could overwrite the contents of that file
(CVE-2012-2451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2451
https://bugzilla.redhat.com/show_bug.cgi?id=818386
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080716.html
========================

Updated packages in core/updates_testing:
========================
perl-Config-IniFiles-2.750.0-1.mga1
perl-Config-IniFiles-2.750.0-1.mga2

from SRPMS:
perl-Config-IniFiles-2.750.0-1.mga1
perl-Config-IniFiles-2.750.0-1.mga2

Using perl-Config-IniFiles-2.750.0-1.mga1.noarch on Mga 1 i586, I'm not
seeing any change.
$ grep rename strace.txt
9639  rename("./media_info/hdlist.cz.tmp", "./media_info/hdlist.cz") = 0
9639  rename("./media_info/synthesis.hdlist.cz.tmp", "./media_info/synthesis.hdlist.cz") = 0

Installing perl-Config-IniFiles-2.750.0-1.mga2.noarch.rpm on Mageia 2 64-bits and nothing has changed. It seems ok. Is there any particular stuff to check?

CC: (none) => olivier.delaune

Created attachment 2449 [details]
simple testcase

This has an ini file and test.pl

'perl test.pl' should find the value of the Tested parameter in section 2, which is 'OK'.

Expected output is 'The test is OK.'

Hmm testcase doesn't use any temporary file when viewed under strace so not good for checking that :\

I just looked at the code.  A testcase would need to call WriteConfig(), as that's the only part of the code that creates a tmp file.

So, don't remove it with rpm -e --nodeps as it breaks rpm :\ 

I managed to copy the file from another computer and install it from release again.

One thing David, in doing so I noticed the update installs to a different path. Could you check this is correct please and properly obsoleted if necessary.

# urpmf --media "Core Release" perl-Config-IniFiles                                                             
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.1/Config
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.1/Config/IniFiles.pm
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/Changes
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/META.yml
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/README
perl-Config-IniFiles:/usr/share/man/man3/Config::IniFiles.3pm.xz

# urpmf --media "Core Updates Testing" perl-Config-IniFiles
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.2/Config
perl-Config-IniFiles:/usr/lib/perl5/vendor_perl/5.14.2/Config/IniFiles.pm
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/Changes
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/META.json
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/META.yml
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/MYMETA.yml
perl-Config-IniFiles:/usr/share/doc/perl-Config-IniFiles/README
perl-Config-IniFiles:/usr/share/man/man3/Config::IniFiles.3pm.xz

Thanks.

This is mga2 btw

Testing mga2 x86_64

Using scripts from 

http://search.cpan.org/~shlomif/Config-IniFiles-2.75/lib/Config/IniFiles.pm 

in the IMPORT/DELTA FEATURES section.

It creates a file called -delta.

Before
------
$ grep delta strace.out
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
open("-delta-new", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
rename("-delta-new", "-delta")          = 0
chmod("-delta", 0664)                   = 0


After
-----
$ grep delta strace.out
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
stat("-delta", {st_mode=S_IFREG|0664, st_size=119, ...}) = 0
rename("./temp.ini-BeOaCvUL0R", "-delta") = 0
chmod("-delta", 0664)                   

So it is using an unpredictable temporary filename. It does seem to obsolete the previous version in /usr/lib/perl5/vendor_perl/5.14.1 too.

I get an error running the script which I didn't before. It could be a bug in the script as I don't know perl and just copy/pasted, but it is a regression.

Odd number of elements in hash assignment at /usr/lib/perl5/vendor_perl/5.14.2/Config/IniFiles.pm line 1756.

MGA2

This also appears to be affected by bug 2317

There is a regression to urpmf -m which is affecting the depcheck script, but as far as I can tell..

The following packages will require linking:

perl-Archive-Extract
perl-Archive-Tar
perl-CGI
perl-CPANPLUS
perl-CPANPLUS-Dist-Build
perl-ExtUtils-CBuilder
perl-FCGI
perl-List-MoreUtils
perl-Module-Build
perl-Module-CoreList
perl-Time-Piece

Depends on: (none) => 2317

Hi,

(In reply to comment #17)
> Testing mga2 x86_64
> 
> Using scripts from 
> 
> http://search.cpan.org/~shlomif/Config-IniFiles-2.75/lib/Config/IniFiles.pm 
> 
> in the IMPORT/DELTA FEATURES section.
> 
> It creates a file called -delta.
> 

This was a bug in the syntax given to the call to ->WriteConfig($filename, -delta => 1) in the documentation, because it requires a valid file name as the first argument. This was fixed in version 2.76, which was just uploaded to CPAN.

Thanks for finding it.

Regards,

-- Shlomi Fish

Jerome, when you get a chance could you update these to 2.76?  Thanks.

updated to 2.76 for mga1 & mga2 in updates_testing.

Testing complete x86_64 mga2 for SRPM perl-Config-IniFiles-2.760.0-1.mga2.src.rpm

Before
------
$ grep delta strace.out 
stat("-delta", 0x1857138)               = -1 ENOENT (No such file or directory)
open("-delta-new", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
rename("-delta-new", "-delta")          = 0
chmod("-delta", 0100664)           

Rename line shows a predictable filename being used.


After
-----
Created a new testcase which I'll attach that writes an output.ini file and reads the value of one of the added parameters which should be 'OK'. 

$ strace -o strace.out perl test2.pl && grep rename strace.out
The test is OK.
rename("./temp.ini-Xi8nL5VII1", "output.ini") = 0

The rename shows the unpredictable temp filename being used

$ rm output.ini


The following packages will require linking to workaround bug 2317:

perl-Archive-Extract
perl-Archive-Tar
perl-CGI
perl-CPANPLUS
perl-CPANPLUS-Dist-Build
perl-ExtUtils-CBuilder
perl-FCGI
perl-Module-Build
perl-Module-CoreList
perl-Time-Piece

Whiteboard: MGA1TOO => MGA1TOO, mga2-64-OK

Created attachment 2470 [details]
testcase folder with all needed files

Testing complete x86_64 Mageia 1 for SRPM perl-Config-IniFiles-2.760.0-1.mga1.src.rpm

Before
------
$ strace -o strace.out perl test2.pl && grep rename strace.out
The test is OK.
rename("output.ini-new", "output.ini")  = 0

$ rm -f output.ini


After
-----
Backing up the IniFiles.pm in case it needs to be reverted
# cp /usr/lib/perl5/vendor_perl/5.12.3/Config/IniFiles.pm .

$ strace -o strace.out perl test2.pl && grep rename strace.out
The test is OK.
rename("./temp.ini-zHTgIZxkd0", "output.ini") = 0

$ rm -f output.ini


A longer list of links required for mga1

The following packages will require linking to work around bug 2317:

perl-Archive-Extract-0.500.0-1.mga1 (Core 32bit Release)
perl-Archive-Extract-0.500.0-1.mga1 (Core Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core 32bit Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core Release)
perl-CGI-3.520.0-1.mga1 (Core 32bit Release)
perl-CGI-3.520.0-1.mga1 (Core Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core 32bit Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core 32bit Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core 32bit Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core 32bit Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core Release)
perl-JSON-PP-2.271.50-1.mga1 (Core 32bit Release)
perl-JSON-PP-2.271.50-1.mga1 (Core Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core 32bit Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core 32bit Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core Release)
perl-Module-Signature-0.680.0-1.mga1 (Core 32bit Release)
perl-Module-Signature-0.680.0-1.mga1 (Core Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core 32bit Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core 32bit Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core Release)
perl-Time-Piece-1.200.0-4.mga1 (Core 32bit Release)
perl-Time-Piece-1.200.0-4.mga1 (Core Release)
perl-version-0.880.0-2.mga1 (Core 32bit Release)
perl-version-0.880.0-2.mga1 (Core Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core 32bit Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core Release)
----------------------------------------

This is noarch but it would be useful to check this on both arch's (two sets of eyes) before validating as it is integral to rpm, so quite important :)

Testing complete on Mageia 1 i586.  On Mageia 2 i586, I also
noticed installing the update pulled in perl-List-MoreUtils
from Core Release, which is listed in comment 18, but not
in comment 22 or 24.

How did you build the list for linking?

Whiteboard: MGA1TOO, mga2-64-OK, mga1-64-OK => MGA1TOO, mga2-64-OK, mga1-64-OK, mga1-32-OK, , mga2-32-OK

Just used depcheck Dave. This was updated to 2.76 in comment 19, it could have changed the deps I suppose.

Validating

Seeing more inconsistency between 32 and 64 bit with depcheck. Last time this turned out to be real and not a problem with depcheck so we should link it anyway.

Mageia 2 linking required

Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is perl-Config-IniFiles-2.680.0-1.mga2
Latest version found in "Core Updates Testing" is perl-Config-IniFiles-2.760.0-1.mga2
----------------------------------------
The following packages will require linking:

perl-Archive-Extract
perl-Archive-Tar
perl-CGI
perl-CPANPLUS
perl-CPANPLUS-Dist-Build
perl-ExtUtils-CBuilder
perl-FCGI
perl-List-MoreUtils
perl-Module-Build
perl-Module-CoreList
perl-Time-Piece
----------------------------------------

Mageia 1 linking required is in comment 24

SRPMs:
perl-Config-IniFiles-2.760.0-1.mga1.src.rpm
perl-Config-IniFiles-2.760.0-1.mga2.src.rpm

Advisory:
========================

Updated perl-Config-IniFiles package fixes security vulnerability:

perl-Config-IniFiles used a predicatable temporary file name
(${filename}-new) which makes it prone to a symlink attack.  If a
malicious user were to create a symlink pointing to another file
writable by the user running an application that used
perl-Config-IniFiles, they could overwrite the contents of that file
(CVE-2012-2451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2451
https://bugzilla.redhat.com/show_bug.cgi?id=818386
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080716.html
=======================

Could sysadmin please push from core/updates testing to core/updates for mga1 and mga2 and do the required linking for both. 

Note: The linking required is different for mga1 than it is in mga2.

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Hum in mga1 I need perl-List-MoreUtils

found package(s): perl-Config-IniFiles-2.660.0-1.mga1.noarch perl-Config-IniFiles-2.760.0-1.mga1.noarch perl-Config-IniFiles-2.660.0-1.mga1.noarch
opening rpmdb (root=, write=)
chosen perl-Config-IniFiles-2.760.0-1.mga1.noarch for perl-Config-IniFiles|perl-Config-IniFiles|perl-Config-IniFiles
selecting perl-Config-IniFiles-2.760.0-1.mga1.noarch
set_rejected: perl-Config-IniFiles-2.660.0-1.mga1.noarch
requiring perl(List::MoreUtils) for perl-Config-IniFiles-2.760.0-1.mga1.noarch
chosen perl-List-MoreUtils-0.300.0-3.mga1.x86_64 for perl(List::MoreUtils)
selecting perl-List-MoreUtils-0.300.0-3.mga1.x86_64
perl-Config-IniFiles is not in potential orphans
Pour satisfaire les dépendances, les paquetages suivants vont être installés :
   Paquetage                      Version      Révision      Arch   
(média « Core Release »)
  perl-List-MoreUtils            0.300.0      3.mga1        x86_64  
(média « Core Updates Testing »)
  perl-Config-IniFiles           2.760.0      1.mga1        noarch  
un espace additionnel de 157Ko sera utilisé.
97Ko de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n)

Depcheck doesn't find it, we must be missing something with the script. The sooner this is fixed, the better!

Sysadmin please also link perl-List-MoreUtils for mga1

# ./depcheck perl-Config-IniFiles "Core Release" "Core Updates Testing"
----------------------------------------
Running checks for "perl-Config-IniFiles" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is perl-Config-IniFiles-2.660.0-1.mga1
Latest version found in "Core Updates Testing" is perl-Config-IniFiles-2.760.0-1.mga1
----------------------------------------
The following packages will require linking:

perl-Archive-Extract-0.500.0-1.mga1 (Core 32bit Release)
perl-Archive-Extract-0.500.0-1.mga1 (Core Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core 32bit Release)
perl-Archive-Tar-1.760.0-2.mga1 (Core Release)
perl-CGI-3.520.0-1.mga1 (Core 32bit Release)
perl-CGI-3.520.0-1.mga1 (Core Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-2.110.930-1.mga1 (Core Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core 32bit Release)
perl-CPAN-Meta-YAML-0.3.0-1.mga1 (Core Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core 32bit Release)
perl-CPANPLUS-Dist-Build-0.540.0-1.mga1 (Core Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core 32bit Release)
perl-Digest-SHA-5.610.0-2.mga1 (Core Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core 32bit Release)
perl-ExtUtils-CBuilder-0.280.202-1.mga1 (Core Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core 32bit Release)
perl-IPC-Cmd-0.700.0-2.mga1 (Core Release)
perl-JSON-PP-2.271.50-1.mga1 (Core 32bit Release)
perl-JSON-PP-2.271.50-1.mga1 (Core Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core 32bit Release)
perl-Module-CoreList-2.460.0-1.mga1 (Core Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core 32bit Release)
perl-Module-Metadata-1.0.4-1.mga1 (Core Release)
perl-Module-Signature-0.680.0-1.mga1 (Core 32bit Release)
perl-Module-Signature-0.680.0-1.mga1 (Core Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core 32bit Release)
perl-Parse-CPAN-Meta-1.440.100-3.mga1 (Core Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core 32bit Release)
perl-Perl-OSType-1.2.0-1.mga1 (Core Release)
perl-Time-Piece-1.200.0-4.mga1 (Core 32bit Release)
perl-Time-Piece-1.200.0-4.mga1 (Core Release)
perl-version-0.880.0-2.mga1 (Core 32bit Release)
perl-version-0.880.0-2.mga1 (Core Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core 32bit Release)
perl-Version-Requirements-0.101.20-1.mga1 (Core Release)
----------------------------------------
Done.

(In reply to comment #30)
> 
> # ./depcheck perl-Config-IniFiles "Core Release" "Core Updates Testing"
> ----------------------------------------
> Running checks for "perl-Config-IniFiles" using media
> "Core Release" and "Core Updates Testing".

Hm, 
"Core Updates" should be used in the media check too
(or does depcheck already use that ?)

CC: (none) => tmb

It checks Thomas

(In reply to comment #32)
> It checks Thomas

Ah, thanks... I got fooled by the:

"Running checks for "perl-Config-IniFiles" using media  "Core Release" and "Core Updates Testing"."

as it does not state it's using "Core Updates" :)

Created attachment 2499 [details]
Current QA depcheck script

I think pterjan was going to put it on svn. He looked an instantly had ideas to improve it.

With any luck we can retire it soon! 

( depcheck not pterjan :D )

Linking done and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0127

Status: NEW => RESOLVED
Resolution: (none) => FIXED