Bug#862674: marked as done (unblock: libconfig-model-perl/2.097-2)

Debian Bug Tracking System Tue, 16 May 2017 09:49:23 -0700

Your message dated Tue, 16 May 2017 16:45:47 +0000
with message-id <[email protected]>
and subject line unblock libconfig-model-perl
has caused the Debian Bug report #862674,
regarding unblock: libconfig-model-perl/2.097-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
862674: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862674
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Hello

Please unblock package libconfig-model-perl

This new version fixes 2 security issues:
 * add patch to remove 'use lib' (CVE-2017-0373)
 * add patch to remove '.' in @INC emulation (CVE-2017-0374)

debian/rules was modified to add '.' in @INC so the tests don't fail.

You can find there the 2 patches in a format slightly more readable than the 
attached debdiff:

https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/tree/debian/patches/remove-use-lib?h=debian/2.097-2
https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/tree/debian/patches/remove-inc-dot-emulation?h=debian/2.097-2

Links to the CVEs:
https://security-tracker.debian.org/tracker/CVE-2017-0373
https://security-tracker.debian.org/tracker/CVE-2017-0374

Thanks

unblock libconfig-model-perl/2.097-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libconfig-model-perl-2.097/debian/changelog 
libconfig-model-perl-2.097/debian/changelog
--- libconfig-model-perl-2.097/debian/changelog 2016-12-22 19:18:27.000000000 
+0100
+++ libconfig-model-perl-2.097/debian/changelog 2017-05-14 18:20:55.000000000 
+0200
@@ -1,3 +1,12 @@
+libconfig-model-perl (2.097-2) unstable; urgency=medium
+
+  * add patch to remove 'use lib' (CVE-2017-0373)
+  * add patch to remove '.' in @INC emulation (CVE-2017-0374)
+  * rules: add '.' in @INC for tests
+  * package for stretch release only
+
+ -- Dominique Dumont <[email protected]>  Sun, 14 May 2017 18:20:55 +0200
+
 libconfig-model-perl (2.097-1) unstable; urgency=medium
 
   * New upstream version 2.097
diff -Nru libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation 
libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation
--- libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation  
1970-01-01 01:00:00.000000000 +0100
+++ libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation  
2017-05-14 18:20:55.000000000 +0200
@@ -0,0 +1,47 @@
+Description: Remove inc dot emulation
+ Using '.' in @INC while loading models and model snippts allows to
+ run arbitrary code by specially crafted models placed in the current
+ working directory (as an aftermath of the fixes for the removal of
+ '.' in @INC in perl).
+.
+ This patch removes the search in '.' and fixes the collateral
+ damage. Note that tests must be run with PERL5LIB=. variable so model
+ files can be searched in '.' only during tests.
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-0374
+Author: Dominique Dumont <[email protected]>
+Origin: upstream
+Applied-Upstream: v2.102
+--- a/lib/Config/Model.pm
++++ b/lib/Config/Model.pm
+@@ -1198,7 +1198,7 @@
+     # look for additional model information
+     my %model_graft_by_name;
+     my %done;  # avoid loading twice the same snippet (where system version 
may clobber dev version)
+-    foreach my $inc (@INC,'.') {
++    foreach my $inc (@INC) {
+         foreach my $name ( keys %models_by_name ) {
+             my $snippet_path = $name;
+             $snippet_path =~ s/::/\//g;
+@@ -1206,6 +1206,13 @@
+             get_logger("Model::Loader")->trace("looking for snippet in 
$snippet_dir");
+             if ( -d $snippet_dir ) {
+                 foreach my $snippet_file ( glob("$snippet_dir/*.pl") ) {
++
++                    # $snippet_file is constructed from @INC content
++                    # (i.e. $inc). Since _load_model_in_hash uses 'do'
++                    # (which searches in @INC), the file path passed
++                    # to _load_model_in_hash must be relative to $inc.
++                    $snippet_file = substr $snippet_file, length($inc) + 1;
++
+                     my $done_key = $name . ':' . $snippet_file;
+                     next if $done{$done_key};
+                     get_logger("Model::Loader")->info("Found snippet 
$snippet_file");
+@@ -1260,7 +1267,7 @@
+     get_logger("Model::Loader")->info("load model $load_file");
+ 
+     my $err_msg = '';
+-    $load_file = "./$load_file" if $load_file !~ m!^/! and -e $load_file ;
++    # do searches @INC if the file path is not absolute
+     my $model   = do $load_file;
+ 
+     unless ($model) {
diff -Nru libconfig-model-perl-2.097/debian/patches/remove-use-lib 
libconfig-model-perl-2.097/debian/patches/remove-use-lib
--- libconfig-model-perl-2.097/debian/patches/remove-use-lib    1970-01-01 
01:00:00.000000000 +0100
+++ libconfig-model-perl-2.097/debian/patches/remove-use-lib    2017-05-14 
18:20:55.000000000 +0200
@@ -0,0 +1,16 @@
+Description: Remove use lib from GenClassPod.pm
+ genclasspod: remove use lib, not needed and causes a security hole when using 
cme on untrusted Debian package files
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-0373
+Author: Dominique Dumont <[email protected]>
+Origin: upstream
+Applied-Upstream: v 2.102
+--- a/lib/Config/Model/Utils/GenClassPod.pm
++++ b/lib/Config/Model/Utils/GenClassPod.pm
+@@ -17,7 +17,6 @@
+ use parent qw(Exporter);
+ our @EXPORT = qw(gen_class_pod);
+ 
+-use lib qw/lib/;
+ use Path::Tiny ;
+ use Config::Model ;             # to generate doc
+ 
diff -Nru libconfig-model-perl-2.097/debian/patches/series 
libconfig-model-perl-2.097/debian/patches/series
--- libconfig-model-perl-2.097/debian/patches/series    2016-12-22 
19:18:27.000000000 +0100
+++ libconfig-model-perl-2.097/debian/patches/series    2017-05-14 
18:20:55.000000000 +0200
@@ -1,2 +1,4 @@
 #fix-cryptic-message
 fix-debci
+remove-use-lib
+remove-inc-dot-emulation
diff -Nru libconfig-model-perl-2.097/debian/rules 
libconfig-model-perl-2.097/debian/rules
--- libconfig-model-perl-2.097/debian/rules     2016-12-22 19:18:27.000000000 
+0100
+++ libconfig-model-perl-2.097/debian/rules     2017-05-14 18:20:55.000000000 
+0200
@@ -11,4 +11,4 @@
 
 override_dh_auto_test:
        mkdir -p $(BUILDHOME)
-       HOME=$(BUILDHOME) dh_auto_test
+       PERL5LIB=. HOME=$(BUILDHOME) dh_auto_test

--- End Message ---

--- Begin Message ---
Unblocked libconfig-model-perl.
--- End Message ---

Bug#862674: marked as done (unblock: libconfig-model-perl/2.097-2)

Reply via email to