Hi Security Team I have prepared now a preliminary update for libmojolicious-perl, see attached debdiff. Do you agree with the changes? How to proceed?
Note, reviewing Changes from version in stable up to the version in squeeze in Changes are the following: 0.999928 2010-08-15 00:00:00 - Fixed a security problem with CGI environment detection. [...] This is related to upstream commits b3a1fb453eda447c0bb082cd9eed81bb75a7564a and aa7c8da54b1ebd4ccb64aa66dede7b7cdb381c44. And 0.999927 2010-08-15 00:00:00 [...] - Fixed a security problem in the HMAC MD5 implementation. (vti) where I have not yet the relevant git commit. Would you have them too adressed? Bests Salvatore
diff -Nru libmojolicious-perl-0.999926/debian/changelog libmojolicious-perl-0.999926/debian/changelog --- libmojolicious-perl-0.999926/debian/changelog 2010-06-27 13:21:44.000000000 +0200 +++ libmojolicious-perl-0.999926/debian/changelog 2011-04-16 13:06:38.000000000 +0200 @@ -1,3 +1,14 @@ +libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high + + * [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path + traversal security vulnerability (Closes: #622952). + * Add improve-RFC3986-compliance-of-Mojo-Path.patch backported from + upstream commit 748ef373291dd342c18a0811f967ea0d88df5368. This + prevents FTBFS with the applied security patch. Thanks to Ansgar + Burchardt (ansgar) for suggestion. + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 16 Apr 2011 12:40:57 +0200 + libmojolicious-perl (0.999926-1) unstable; urgency=low * Initial Release (Closes: #578518) diff -Nru libmojolicious-perl-0.999926/debian/patches/622952-path-traversal-vulnerability.patch libmojolicious-perl-0.999926/debian/patches/622952-path-traversal-vulnerability.patch --- libmojolicious-perl-0.999926/debian/patches/622952-path-traversal-vulnerability.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmojolicious-perl-0.999926/debian/patches/622952-path-traversal-vulnerability.patch 2011-04-16 12:42:47.000000000 +0200 @@ -0,0 +1,76 @@ +Description: Fix path traversal security vulnerability +Origin: backport, commit: b09854988c5b5b6a2ba5 +Bug: https://github.com/kraih/mojo/issues/114 +Bug-Debian: http://bugs.debian.org/622952 +Forwarded: no +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-04-16 + +--- a/lib/Mojo/Path.pm ++++ b/lib/Mojo/Path.pm +@@ -85,6 +85,9 @@ + $self->leading_slash(1) if $path =~ /^\//; + $self->trailing_slash(1) if $path =~ /\/$/; + ++ # Unescape ++ $path = b($path)->url_unescape($Mojo::URL::PCHAR)->to_string; ++ + # Parse + my @parts; + for my $part (split '/', $path) { +@@ -93,7 +96,7 @@ + next unless length $part; + + # Store +- push @parts, b($part)->url_unescape($Mojo::URL::PCHAR)->to_string; ++ push @parts, $part; + } + + $self->parts(\@parts); +--- a/t/mojo/path.t ++++ b/t/mojo/path.t +@@ -5,7 +5,7 @@ + use strict; + use warnings; + +-use Test::More tests => 3; ++use Test::More tests => 11; + + # This is the greatest case of false advertising I???ve seen since I sued the + # movie ???The Never Ending Story.??? +@@ -14,3 +14,18 @@ + my $path = Mojo::Path->new; + is($path->parse('/path')->to_string, '/path', 'right path'); + is($path->parse('/path/0')->to_string, '/path/0', 'right path'); ++ ++# Canonicalizing ++$path = Mojo::Path->new( ++ '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'); ++is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result'; ++is $path->parts->[0], '..', 'right part'; ++is $path->canonicalize, '/../../../../../../../../../../etc/passwd', ++ 'rigth result'; ++is $path->parts->[0], '..', 'right part'; ++$path = Mojo::Path->new( ++ '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'); ++is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result'; ++is $path->parts->[0], 'test', 'right part'; ++is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result'; ++is $path->parts->[0], '..', 'right part'; +--- a/t/mojo/url.t ++++ b/t/mojo/url.t +@@ -121,12 +121,12 @@ + is($url->userinfo, undef, 'no userinfo'); + is($url->host, 'acme.s3.amazonaws.com', 'right host'); + is($url->port, undef, 'no port'); +-is($url->path, '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path'); ++is($url->path, '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path'); + ok(!$url->query, 'no query'); + is_deeply($url->query->to_hash, {}, 'right structure'); + is($url->fragment, undef, 'no fragment'); + is("$url", +- 'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', ++ 'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', + 'right format'); + + # Clone (advanced) diff -Nru libmojolicious-perl-0.999926/debian/patches/improve-RFC3986-compliance-of-Mojo-Path.patch libmojolicious-perl-0.999926/debian/patches/improve-RFC3986-compliance-of-Mojo-Path.patch --- libmojolicious-perl-0.999926/debian/patches/improve-RFC3986-compliance-of-Mojo-Path.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmojolicious-perl-0.999926/debian/patches/improve-RFC3986-compliance-of-Mojo-Path.patch 2011-04-16 12:36:18.000000000 +0200 @@ -0,0 +1,73 @@ +Description: Improve RFC3986 compliance of Mojo::Path. +Origin: backport, commit: 748ef373291dd342c18a +Forwarded: no +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-04-16 + +--- a/lib/Mojo/Path.pm ++++ b/lib/Mojo/Path.pm +@@ -92,8 +92,11 @@ + my @parts; + for my $part (split '/', $path) { + +- # Garbage +- next unless length $part; ++ # Empty parts before the first are garbage ++ next unless length $part or scalar @parts; ++ ++ # mpty parts behind the first are ok ++ $part = '' unless defined $part; + + # Store + push @parts, $part; +--- a/t/mojo/url.t ++++ b/t/mojo/url.t +@@ -7,7 +7,7 @@ + + use utf8; + +-use Test::More tests => 111; ++use Test::More tests => 117; + + use Mojo::ByteStream 'b'; + +@@ -236,3 +236,17 @@ + . '%D1%88%D0%B0%D1%80%D0%B8%D1%84%D1%83%D0%BB%D0%B8%D0%BD', + 'right format' + ); ++ ++# Empty path elements ++$url = Mojo::URL->new('http://kraih.com/foo//bar/23/'); ++$url->base->parse('http://kraih.com/'); ++is($url->is_abs, 1); ++is($url->to_rel, '/foo//bar/23/'); ++$url = Mojo::URL->new('http://kraih.com//foo//bar/23/'); ++$url->base->parse('http://kraih.com/'); ++is($url->is_abs, 1); ++is($url->to_rel, '/foo//bar/23/'); ++$url = Mojo::URL->new('http://kraih.com/foo///bar/23/'); ++$url->base->parse('http://kraih.com/'); ++is($url->is_abs, 1); ++is($url->to_rel, '/foo///bar/23/'); +--- a/t/mojox/routes/routes.t ++++ b/t/mojox/routes/routes.t +@@ -347,8 +347,8 @@ + $m = MojoX::Routes::Match->new($tx)->match($r); + is($m->stack->[0]->{controller}, 'wild'); + is($m->stack->[0]->{action}, 'card'); +-is($m->stack->[0]->{wildcard}, 'http:/www.google.com'); +-is($m->url_for, '/wildcards/1/http:/www.google.com'); ++is($m->stack->[0]->{wildcard}, 'http://www.google.com'); ++is($m->url_for, '/wildcards/1/http://www.google.com'); + is(@{$m->stack}, 1); + $tx = Mojo::Transaction::HTTP->new; + $tx->req->method('GET'); +@@ -357,7 +357,7 @@ + is($m->stack->[0]->{controller}, 'wild'); + is($m->stack->[0]->{action}, 'card'); + is($m->stack->[0]->{wildcard}, 'http://www.google.com'); +-is($m->url_for, '/wildcards/1/http:/www.google.com'); ++is($m->url_for, '/wildcards/1/http://www.google.com'); + is(@{$m->stack}, 1); + + # Format diff -Nru libmojolicious-perl-0.999926/debian/patches/series libmojolicious-perl-0.999926/debian/patches/series --- libmojolicious-perl-0.999926/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libmojolicious-perl-0.999926/debian/patches/series 2011-04-16 12:26:55.000000000 +0200 @@ -0,0 +1,2 @@ +622952-path-traversal-vulnerability.patch +improve-RFC3986-compliance-of-Mojo-Path.patch
signature.asc
Description: Digital signature