In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems. Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible. Updates to address this issue have bene pushed to main-5.8, maint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon). Reproducible: Steps to Reproduce:
perl 5.14.4 submitted to mga2 core/updates_testing cauldron needs to be updated.
Assignee: bugsquad => jquelin
please validate & push perl 5.14.4 to core/updates (mageia 2)
CC: (none) => jquelinAssignee: jquelin => qa-bugs
Proposed advisory: A flaw in the rehashing code has been found which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. This update fixes said flaw.
This is also a version bump... is the transition from 5.14.2 to 5.14.4 safe ? (just asking since we rely on perl for all drakx* tools)
CC: (none) => tmb
@Thomas: yes, only critical bugs (crash, security) are allowed in minor perl releases.
Could you list rpm's please Jerome
Summary: CVE-2013-1667 => Perl CVE-2013-1667
QA Contact: (none) => security
Component: RPM Packages => Security
perl, perl-base, perl-doc, perl-devel
Don't some packages require specific version of perl?
CC: (none) => sander.lepik
installed vim-enhanced-7.3.444-2.mga2.x86_64 is conflicting because of unsatisfied perl-base[== 2:5.14.2] The following package has to be removed for others to be upgraded: vim-enhanced-7.3.444-2.mga2.x86_64 Any way to get a full list of which packages require specific versions?
CC: (none) => davidwhodgins
apache-mod_perl requires perl[== 2:5.14.2] inn requires inn: perl[== 2:5.14.2] irssi-perl requires perl[== 2:5.14.2] postgresql8.4-plperl requires postgresql8.4-plperl: perl-base[== 2:5.14.2] postgresql9.0-plperl requires postgresql9.0-plperl: perl-base[== 2:5.14.2] postgresql9.1-plperl requires postgresql9.1-plperl: perl-base[== 2:5.14.2] vim-enhanced requires perl-base[== 2:5.14.2] vim-X11 requires perl-base[== 2:5.14.2] xchat-gnome-perl requires perl-base[== 2:5.14.2] xchat-perl requires perl-base[== 2:5.14.2] Assuming the above list is complete, should this update be held until the above packages all have new versions available?
Debian has issued an advisory for this on March 9: http://www.debian.org/security/2013/dsa-2641 Seeing as Debian patched 5.14.2, I think we'd be better off deleting the current update candidate and applying the patch to the version we had.
URL: (none) => http://lwn.net/Vulnerabilities/542461/CC: (none) => luigiwalser
@david (#comment 11): perl 5.14.4 has been released just because of this security bug. please let it in. @dave: (#comment 10): I'll submit a rebuild of said packages.
I cannot submit said packages: ============== Submitting apache-mod_perl at revision 402129 URL: svn+ssh://svn.mageia.org/svn/packages/cauldron/apache-mod_perl error: command failed: ssh pkgsubmit.mageia.org /usr/local/bin/submit_package -t 2 --define sid=b1b7f523-1883-45ef-b162-02f6fdd1bedc --define section=core/updates_testing -r 402129 svn+ssh://svn.mageia.org/svn/packages/cauldron/apache-mod_perl error: svn://svn.mageia.org/svn/packages/cauldron/apache-mod_perl is not allowed for this target ============== Thomas, do you know why I can't submit?
Assigning back to Jerome Please reassign when this is ready for QA. Thanks!
CC: (none) => qa-bugsAssignee: qa-bugs => jquelin
never mind, I was trying to submit from cauldron svn I just submitted: xchat-gnome-0.26.1-12.1.mga2 xchat-2.8.8-10.1.mga2 vim-7.3.444-2.1.mga2 postgresql9.1-9.1.8-1.1.mga2 postgresql9.0-9.0.12-1.1.mga2 postgresql8.4-8.4.16-1.1.mga2 irssi-0.8.15-11.mga2 inn-2.5.3-3.mga2 apache-mod_perl-2.0.5-16.mga2 sorry, I forgot to use %subrel in apache-mod_perl, inn and irssi. others have a %subrel now. please test & push to mageia 2 core/updates. thanks.
Assignee: jquelin => qa-bugs
hmmm, xchat and xchat-gnome do not build correctly. but this is not related to new perl, more to new toolchain / glib, dunno for sure. what do we do?
Patch perl like David suggested? It will give us less hassle and a lot smaller update for users.
Not to mention QA! A lot less work for QA too..
Assignee: qa-bugs => jquelin
sander: that's hiding stuff under the carpet. perl 5.14.4 contains perl 5.14.3 fixes, which I forgot to package. I think it's worthwhile to have this update as perl packager, rather than maintaining a zillion patches. Now, if you all prefer a patch, I'll abide - but in that case I will be more reluctant to apply fixes for previous mageia versions: I'm a cauldron user, and updating my pkgs for stable mageia is a burden for me. I agree to do the updates since it's a bundle coming with packager hat, but there's a difference between actively supporting a package (that is, providing users with latest 5.14 version) and doing updates only when it's really needed (just a patch here and there). Especially when free time is so short... :-) So to sum up: either you want just a patch, and I'll fix perl with just the patch. Or you agree with the fact that we should provide latest perl 5.14 (which I recommend as perl packager for mageia), and in that case we investigate. I won't fight more than that - if you prefer a patch, life will be easier for me too...
Unfortunately in making it easy for yourself you more than quadruple the work for QA, who all have similar demands on our time. You must of course, in good conscience, do what you feel is right for Mageia...
Well, the problem with stable release is that rebuilding doesn't just mean a rebuilt package like in cauldron. It means that QA has to test it. Seeing all 3 postgresql packages in the list (only this counts 6 test cases). It doesn't sound good at all. Not to mention other problems we might have. I'm not even sure if this list gives us all version dependent packages. Like Thomas said, it's perl after all, too many important tools depend on it :) I'm not the packager and not doing much for QA either but I would suggest patch in this case.
@Claire: I am not making it easy for me either, re-read what I wrote. I said that I think the right way of doing the thing is to update to perl 5.14.4, even if it's a lot more work. Now it seems that you guys prefer just a patch: if that's the case, then I just have to apply the patch and rebuild perl. But this means that I won't provide more recent perl bugfix versions for stable mageia, and I will use this decision as a policy from now on. Once again, it means an easier way of working for me, even if I think it's not the right one. So, one last time: do you want me to remove the perl 5.14.4 update and just provide a patch for perl 5.14.2 for mageia 2? ==> Sander, Claire and Thomas, I need an answer from you. Claire as QA representative, Thomas as sysadmin and Sander as another packager. If you all agree, then I will treat your answer as the right decision to apply. Thanks, Jérôme
As maintainer you must decide Jerome, it's not our place to say you must do one thing or another. The update policy says patch where possible but it's your decision as to whether that is practical or not. If you do decide to bump the version please ensure anything version dependent is also updated, so that update is possible. Please also list all updated SRPM's so sysadmin know what to push and all RPM's so QA know what to test. Thanks
I already stated that as perl pkg maintainer, I think the right thing to do is to ship perl 5.14.4 If there was only the security fix, a patch would be possible. The patch exists and can be applied easily. But I missed the perl 5.14.3 update, which is a critical bugfix update, so I think we should provide it. Adding Olav as cc since he is responsible for xchat / xchat-gnome. Olav, can you look at the following error logs and check why xchat / xchat-gnome refuse to rebuild for mageia 2: - http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130312115011.jquelin.valstar.16841/log/xchat-2.8.8-10.1.mga2/build.0.20130312115125.log - http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130312115103.jquelin.valstar.17831/log/xchat-gnome-0.26.1-12.1.mga2/build.0.20130312115247.log thanks, Jérôme
CC: (none) => olav
I guess people misunderstood your comment 16 Jerome where you asked for opinions.
Jerome, would it be possible to at least make perl-dependent packages in Cauldron not depend on the exact version, forcing a rebuild if perl is updated to a newer minor release? If so, I would strongly recommend doing that, and then you can more easily issue minor updates for Mageia 3 in the future. As for Mageia 2, I recommend patch it as Debian has done, and probably most other distros will do. If you really feel it should still be updated, perhaps you can patch it so we can get the security update out, and do the version update later so more time can reasonably be given to regression test the perl itself as well as all of the rebuilt packages. As for xchat and Olav, I don't want to speak for him, but from his last communication on the -dev list, I was under the impression that he was taking a break from packaging, due to harassment and lack of help from others in Mageia.
Packages with strict requires can be found with .. urpmf --requires `urpmq --whatrequires perl-base` | grep perl-base\\[== urpmf --requires `urpmq --whatrequires perl` | grep perl\\[== After sort -u my list agrees with Dave's in comment 10
Some requested packages cannot be installed: apache-mod_perl-2.0.5-16.mga2.i586 (due to unsatisfied perlapi-5.14.4) apache-mod_perl-devel-2.0.5-16.mga2.i586 (due to conflicts with perl-5.14.4-1.1.mga2.i586, trying to promote apache-mod_perl)
Ok, given the difficulties that we have regarding an updated perl, I will just provide a patched perl. Thomas, would it be possible to remove from core/updates_testing the packages already built: - inn* - irssi* - vim* - postgresql* - apache-mod_perl* - perl* I'll resubmit only a patched perl.
core/updates_testing cleaned.
Thanks Thomas. perl-5.14.2-8.2.mga2 now available in mageia 2 core/updates_testing with only the patch fixing CVE 2013-1667 applied. please test, validate & push the update. Thanks, Jérôme
Jerome, are you on Perl's e-mail list for security notices? http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199758.html
Thanks Jerome No PoC Testing i586 with various bits of MCC.
The packages have missing signatures as with cauldron packages from yesterday. Apparently the signing key had expired but IINM it's been updated now. Jerome could you try rebuilding please. Thanks
Bug 9385 for expired key
perl-5.14.2-8.3.mga2 on its way
Confirmed the packages are now signed. Testing complete mga2 64 using MCC
Whiteboard: (none) => has_procedure mga2-64-ok
Testing complete mga2 32 Validating David, please adapt this to suit. Advisory -------- In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems. Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible. Updates to address this issue have bene pushed to main-5.8, maint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667 http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html ---------- SRPM: perl-5.14.2-8.3.mga2 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
The third paragraph isn't needed, with the first two it looks fine. Or we could use the more condensed description from the CVE itself: The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key (CVE-2013-1667).
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0094
Status: NEW => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED