Bug 9331 - Perl CVE-2013-1667
: Perl CVE-2013-1667
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/542461/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-11 10:53 CET by Jerome Quelin
Modified: 2013-03-16 02:48 CET (History)
9 users (show)

See Also:
Source RPM: perl
CVE:
Status comment:


Attachments

Description Jerome Quelin 2013-03-11 10:53:32 CET
In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash.  This mechanism has made perl robust against attacks that have
been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior.  This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we
urge users of perl to update their perl executable as soon as possible.
Updates to address this issue have bene pushed to main-5.8, maint-5.10,
maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
of this problem two weeks ago and are expected to be shipping updates today (or
otherwise very soon).



Reproducible: 

Steps to Reproduce:
Comment 1 Jerome Quelin 2013-03-11 10:54:43 CET
perl 5.14.4 submitted to mga2 core/updates_testing

cauldron needs to be updated.
Comment 2 Jerome Quelin 2013-03-11 11:09:44 CET
please validate & push perl 5.14.4 to core/updates (mageia 2)
Comment 3 Jerome Quelin 2013-03-11 11:12:44 CET
Proposed advisory:

A flaw in the rehashing code has been found which can result in pathological behavior.  This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys.
This update fixes said flaw.
Comment 4 Thomas Backlund 2013-03-11 12:21:05 CET
This is also a version bump... is the transition from 5.14.2 to 5.14.4 safe ?

(just asking since we rely on perl for all drakx* tools)
Comment 5 Jerome Quelin 2013-03-11 13:12:27 CET
@Thomas: yes, only critical bugs (crash, security) are allowed in minor perl releases.
Comment 6 claire robinson 2013-03-11 13:30:16 CET
Could you list rpm's please Jerome
Comment 7 Jerome Quelin 2013-03-11 14:26:51 CET
perl, perl-base, perl-doc, perl-devel
Comment 8 Sander Lepik 2013-03-11 14:40:51 CET
Don't some packages require specific version of perl?
Comment 9 Dave Hodgins 2013-03-11 20:34:22 CET
installed vim-enhanced-7.3.444-2.mga2.x86_64 is conflicting because of unsatisfied perl-base[== 2:5.14.2]
The following package has to be removed for others to be upgraded:
vim-enhanced-7.3.444-2.mga2.x86_64

Any way to get a full list of which packages require specific versions?
Comment 10 Dave Hodgins 2013-03-11 22:21:06 CET
apache-mod_perl requires perl[== 2:5.14.2]
inn requires inn: perl[== 2:5.14.2]
irssi-perl requires perl[== 2:5.14.2]
postgresql8.4-plperl requires postgresql8.4-plperl: perl-base[== 2:5.14.2]
postgresql9.0-plperl requires postgresql9.0-plperl: perl-base[== 2:5.14.2]
postgresql9.1-plperl requires postgresql9.1-plperl: perl-base[== 2:5.14.2]
vim-enhanced requires perl-base[== 2:5.14.2]
vim-X11 requires perl-base[== 2:5.14.2]
xchat-gnome-perl requires perl-base[== 2:5.14.2]
xchat-perl requires perl-base[== 2:5.14.2]

Assuming the above list is complete, should this update be held until
the above packages all have new versions available?
Comment 11 David Walser 2013-03-11 23:05:52 CET
Debian has issued an advisory for this on March 9:
http://www.debian.org/security/2013/dsa-2641

Seeing as Debian patched 5.14.2, I think we'd be better off deleting the current update candidate and applying the patch to the version we had.
Comment 12 Jerome Quelin 2013-03-12 08:33:43 CET
@david (#comment 11): perl 5.14.4 has been released just because of this security bug. please let it in.

@dave: (#comment 10): I'll submit a rebuild of said packages.
Comment 13 Jerome Quelin 2013-03-12 08:44:06 CET
I cannot submit said packages:
==============
Submitting apache-mod_perl at revision 402129
URL: svn+ssh://svn.mageia.org/svn/packages/cauldron/apache-mod_perl
error: command failed: ssh pkgsubmit.mageia.org /usr/local/bin/submit_package -t 2 --define sid=b1b7f523-1883-45ef-b162-02f6fdd1bedc --define section=core/updates_testing -r 402129 svn+ssh://svn.mageia.org/svn/packages/cauldron/apache-mod_perl
error: svn://svn.mageia.org/svn/packages/cauldron/apache-mod_perl is not allowed for this target
==============

Thomas, do you know why I can't submit?
Comment 14 claire robinson 2013-03-12 09:54:38 CET
Assigning back to Jerome

Please reassign when this is ready for QA.

Thanks!
Comment 15 Jerome Quelin 2013-03-12 12:54:27 CET
never mind, I was trying to submit from cauldron svn

I just submitted:
xchat-gnome-0.26.1-12.1.mga2
xchat-2.8.8-10.1.mga2
vim-7.3.444-2.1.mga2
postgresql9.1-9.1.8-1.1.mga2
postgresql9.0-9.0.12-1.1.mga2
postgresql8.4-8.4.16-1.1.mga2
irssi-0.8.15-11.mga2
inn-2.5.3-3.mga2
apache-mod_perl-2.0.5-16.mga2

sorry, I forgot to use %subrel in apache-mod_perl, inn and irssi. others have a %subrel now.

please test & push to mageia 2 core/updates.
thanks.
Comment 16 Jerome Quelin 2013-03-12 12:57:41 CET
hmmm, xchat and xchat-gnome do not build correctly. but this is not related to new perl, more to new toolchain / glib, dunno for sure. what do we do?
Comment 17 Sander Lepik 2013-03-12 13:16:06 CET
Patch perl like David suggested? It will give us less hassle and a lot smaller update for users.
Comment 18 Sander Lepik 2013-03-12 13:17:07 CET
Not to mention QA! A lot less work for QA too..
Comment 19 Jerome Quelin 2013-03-12 13:53:34 CET
sander: that's hiding stuff under the carpet. perl 5.14.4 contains perl 5.14.3 fixes, which I forgot to package. I think it's worthwhile to have this update as perl packager, rather than maintaining a zillion patches.

Now, if you all prefer a patch, I'll abide - but in that case I will be more reluctant to apply fixes for previous mageia versions: I'm a cauldron user, and updating my pkgs for stable mageia is a burden for me. I agree to do the updates since it's a bundle coming with packager hat, but there's a difference between actively supporting a package (that is, providing users with latest 5.14 version) and doing updates only when it's really needed (just a patch here and there). Especially when free time is so short... :-)
 
So to sum up: either you want just a patch, and I'll fix perl with just the patch. Or you agree with the fact that we should provide latest perl 5.14 (which I recommend as perl packager for mageia), and in that case we investigate.

I won't fight more than that - if you prefer a patch, life will be easier for me too...
Comment 20 claire robinson 2013-03-12 13:57:59 CET
Unfortunately in making it easy for yourself you more than quadruple the work for QA, who all have similar demands on our time.

You must of course, in good conscience, do what you feel is right for Mageia...
Comment 21 Sander Lepik 2013-03-12 14:08:13 CET
Well, the problem with stable release is that rebuilding doesn't just mean a rebuilt package like in cauldron. It means that QA has to test it. Seeing all 3 postgresql packages in the list (only this counts 6 test cases). It doesn't sound good at all. Not to mention other problems we might have. I'm not even sure if this list gives us all version dependent packages. Like Thomas said, it's perl after all, too many important tools depend on it :)

I'm not the packager and not doing much for QA either but I would suggest patch in this case.
Comment 22 Jerome Quelin 2013-03-12 14:16:42 CET
@Claire: I am not making it easy for me either, re-read what I wrote. I said that I think the right way of doing the thing is to update to perl 5.14.4, even if it's a lot more work.

Now it seems that you guys prefer just a patch: if that's the case, then I just have to apply the patch and rebuild perl.

But this means that I won't provide more recent perl bugfix versions for stable mageia, and I will use this decision as a policy from now on. Once again, it means an easier way of working for me, even if I think it's not the right one.

So, one last time: do you want me to remove the perl 5.14.4 update and just provide a patch for perl 5.14.2 for mageia 2?

==> Sander, Claire and Thomas, I need an answer from you.

Claire as QA representative, Thomas as sysadmin and Sander as another packager. If you all agree, then I will treat your answer as the right decision to apply.

Thanks, Jérôme
Comment 23 claire robinson 2013-03-12 14:28:57 CET
As maintainer you must decide Jerome, it's not our place to say you must do one thing or another. The update policy says patch where possible but it's your decision as to whether that is practical or not.

If you do decide to bump the version please ensure anything version dependent is also updated, so that update is possible.

Please also list all updated SRPM's so sysadmin know what to push and all RPM's so QA know what to test.

Thanks
Comment 24 Jerome Quelin 2013-03-12 14:38:43 CET
I already stated that as perl pkg maintainer, I think the right thing to do is to ship perl 5.14.4

If there was only the security fix, a patch would be possible. The patch exists and can be applied easily. But I missed the perl 5.14.3 update, which is a critical bugfix update, so I think we should provide it.

Adding Olav as cc since he is responsible for xchat / xchat-gnome.

Olav, can you look at the following error logs and check why xchat / xchat-gnome refuse to rebuild for mageia 2:
- http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130312115011.jquelin.valstar.16841/log/xchat-2.8.8-10.1.mga2/build.0.20130312115125.log
- http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130312115103.jquelin.valstar.17831/log/xchat-gnome-0.26.1-12.1.mga2/build.0.20130312115247.log

thanks, Jérôme
Comment 25 claire robinson 2013-03-12 14:41:54 CET
I guess people misunderstood your comment 16 Jerome where you asked for opinions.
Comment 26 David Walser 2013-03-12 17:47:29 CET
Jerome, would it be possible to at least make perl-dependent packages in Cauldron not depend on the exact version, forcing a rebuild if perl is updated to a newer minor release?  If so, I would strongly recommend doing that, and then you can more easily issue minor updates for Mageia 3 in the future.

As for Mageia 2, I recommend patch it as Debian has done, and probably most other distros will do.  If you really feel it should still be updated, perhaps you can patch it so we can get the security update out, and do the version update later so more time can reasonably be given to regression test the perl itself as well as all of the rebuilt packages.

As for xchat and Olav, I don't want to speak for him, but from his last communication on the -dev list, I was under the impression that he was taking a break from packaging, due to harassment and lack of help from others in Mageia.
Comment 27 claire robinson 2013-03-12 18:08:30 CET
Packages with strict requires can be found with ..

urpmf --requires `urpmq --whatrequires perl-base` | grep perl-base\\[==
urpmf --requires `urpmq --whatrequires perl` | grep perl\\[==

After sort -u my list agrees with Dave's in comment 10
Comment 28 Dave Hodgins 2013-03-12 19:01:26 CET
Some requested packages cannot be installed:
apache-mod_perl-2.0.5-16.mga2.i586 (due to unsatisfied perlapi-5.14.4)
apache-mod_perl-devel-2.0.5-16.mga2.i586 (due to conflicts with perl-5.14.4-1.1.mga2.i586, trying to promote apache-mod_perl)
Comment 29 Jerome Quelin 2013-03-14 09:03:13 CET
Ok, given the difficulties that we have regarding an updated perl, I will just provide a patched perl.

Thomas, would it be possible to remove from core/updates_testing the packages already built:
- inn*
- irssi*
- vim*
- postgresql*
- apache-mod_perl*
- perl*

I'll resubmit only a patched perl.
Comment 30 Thomas Backlund 2013-03-14 09:42:50 CET
core/updates_testing cleaned.
Comment 31 Jerome Quelin 2013-03-14 10:11:42 CET
Thanks Thomas.

perl-5.14.2-8.2.mga2 now available in mageia 2 core/updates_testing with only the patch fixing CVE 2013-1667 applied.

please test, validate & push the update.
Thanks, Jérôme
Comment 32 David Walser 2013-03-14 16:48:32 CET
Jerome, are you on Perl's e-mail list for security notices?

http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199758.html
Comment 33 claire robinson 2013-03-14 18:23:56 CET
Thanks Jerome

No PoC
Testing i586 with various bits of MCC.
Comment 34 claire robinson 2013-03-14 18:27:55 CET
The packages have missing signatures as with cauldron packages from yesterday.

Apparently the signing key had expired but IINM it's been updated now.

Jerome could you try rebuilding please.

Thanks
Comment 35 claire robinson 2013-03-14 18:33:04 CET
Bug 9385 for expired key
Comment 36 Jerome Quelin 2013-03-15 08:31:14 CET
perl-5.14.2-8.3.mga2 on its way
Comment 37 claire robinson 2013-03-15 11:34:14 CET
Confirmed the packages are now signed.

Testing complete mga2 64 using MCC
Comment 38 claire robinson 2013-03-15 12:45:45 CET
Testing complete mga2 32

Validating

David, please adapt this to suit.

Advisory
--------
In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash.  This mechanism has made perl robust against attacks that have
been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior.  This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we
urge users of perl to update their perl executable as soon as possible.
Updates to address this issue have bene pushed to main-5.8, maint-5.10,
maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
of this problem two weeks ago and are expected to be shipping updates today (or
otherwise very soon).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667
http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html
----------

SRPM: perl-5.14.2-8.3.mga2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 39 David Walser 2013-03-15 14:13:51 CET
The third paragraph isn't needed, with the first two it looks fine.  Or we could use the more condensed description from the CVE itself:

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent
attackers to cause a denial of service (memory consumption and crash) via a
crafted hash key (CVE-2013-1667).
Comment 40 D Morgan 2013-03-16 02:48:06 CET
Update pushed: 

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0094

Note You need to log in before you can comment on or make changes to this bug.