Bug 152845
Summary: | CAN-2004-0452, CAN-2004-0976, CAN-2005-0155, CAN-2005-0156, CAN-2005-0448 multiple perl vulns | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | David Lawrence <dkl> |
Component: | perl | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bugzilla.redhat, deisenst, jpdalbec, mattdm, mjc, pekkas, redhat-bugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | 1, LEGACY, rh73, rh90, 2 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-01-24 23:29:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 176731 | ||
Attachments: |
Description
David Lawrence
2005-03-30 23:29:28 UTC
*** Bug 136326 has been marked as a duplicate of this bug. *** We also need FC2 packages here. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New packages available from www.fedoralegacy.org/contrib/perl: sha1sums: 28852d9a69ca496003539cb7bc0b8dfefd4e976e perl-5.6.1-38.0.7.3.legacy.i386.rpm a273e8ee1cb2002a50e902b80b99717dbb8dead4 perl-5.6.1-38.0.7.3.legacy.src.rpm 96ec8de6c683eaefd0438a690a34e6b3c9ddc632 perl-CGI-2.752-38.0.7.3.legacy.i386.rpm 6aa4a91e5a5db3c4abeab159180fe322545774d4 perl-CPAN-1.59_54-38.0.7.3.legacy.i386.rpm 745db16e8eed1628119486f2c23728102b54ff91 perl-DB_File-1.75-38.0.7.3.legacy.i386.rpm f27b852928b216b744501a98d9b66725e16a4e31 perl-NDBM_File-1.75-38.0.7.3.legacy.i386.rpm 730278d78467815c7c7a668b66744c31f7898b3c perl-suidperl-5.6.1-38.0.7.3.legacy.i386.rpm f2d8a62e9e706b9f5a9cd05e01aedb70a81baf77 perl-5.8.0-90.0.9.legacy.i386.rpm 091966a58e7ec33f338dc1cedc361f5329850784 perl-5.8.0-90.0.9.legacy.src.rpm 97527dc626a0697d371c96dc43bdb536659bfb7c perl-CGI-2.81-90.0.9.legacy.i386.rpm 40e4711a83c9a9197625dc14fd7febff3f56bb19 perl-CPAN-1.61-90.0.9.legacy.i386.rpm 6f428af51926e0db73be0d32442831d09aeab6eb perl-DB_File-1.804-90.0.9.legacy.i386.rpm 36bd2d612945974fd807e9a208740bb12fd8d335 perl-suidperl-5.8.0-90.0.9.legacy.i386.rpm 55fc6e964b174f99b55a939318def0eb2825c600 perl-5.8.3-18.1.legacy.i386.rpm c0c9e8b56e5a7ad86bd989072b88fa063d00be1d perl-5.8.3-18.1.legacy.src.rpm 026db63cf7f996c2d3ed456c4dd3058ab7d29330 perl-suidperl-5.8.3-18.1.legacy.i386.rpm I had to modify the Gentoo patch to remove the "unless $!{ENOENT}" clause because that was causing build failures. The original Gentoo patch works fine as long as your installed Perl was built on the exact Linux kernel version you're running. Otherwise Errno.pm errors out. The RHL 7.3 and 9 packages are not guaranteed to build properly in Mach because the build script assumes that "rpm -ql" works. I haven't heard any suggestions about how to work around this. Should I assume that the files in question are set in stone now and just build the lists by hand? I installed the RHL 7.3 packages on a test box and rebooted. I haven't noticed any problems. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFC3QbbJL4A+ldA7asRAhw5AJ9T2LVywo2bGvUbq56x3Q7Je7jUDACguM45 JyorZMWaUnuioHHPksUozx4= =rlNq -----END PGP SIGNATURE----- P. S. Which patches are needed for FC2? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AFAICS, FC2's perl-5.8.3-18 doesn't include any of these fixes, so everything should be included there as well. Analysis of the patches: perl-5.6.1-CAN-2005-0448-rmtree.patch: ASCII English text -> OK, gentoo ==> matches http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/CAN-2005-0448-rmtree.pat ch perl-5.6.1-CAN-2005-0077-perl-DBI-tmpfile.patch: ASCII English text ==> matches RHEL3's perl-DBI's tmpfix patch. perl-5.6.1-cgi.pm.patch ==> matches RHEL3's perl-5.8.0-CGI-encoded-path.patch perl-5.6.1-CAN-2005-0155-0156-perlio.patch ==> matches RHEL3's perl-5.8.0-bug33990.patch perl-5.8.0-tempfile-5.8.3-backport.patch ==> is pretty close but not quite equal to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136325 and the gentoo bug. Notes: - What is the source for the perl-5.6.1-tempfile-5.8.3-backport.patch ? - FC1 includes only solar's tmpfile patch!?! - FC2 has apparently been done against a previous version, not 5.8.3-18, as FC changes adding perl-5.8.3-empty-rpath.patch and perl-5.8.3-findbin-selinux.patch were lost. - There have been substantial amount of changes in the spec file for FC1 and FC2. - RHL73 has the perlio and cgi.pm patches commented out (???). - In all the versions, perl-DBI patch has been commented out (??) - in at least RHL73 and RHL9, there have been changes in PKGS line in the spec file, removing at least libgr-devel. Is there a reason for these changes? - could you tell a bit about the methodology used to construct the tempfile backport for 5.6.1? - Note that 5.8.3 does not completely solve the tempfile issues, at least this is what the remainder patch in gentoo leads to believe: http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-5.8.5-tempfiles.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC3pBdGHbTkzxSL7QRApziAJ9cAboAWNU7Os0ARZmheD+W3MYbjACgmxMY YB0XhAYouRD0/d3+0tdcUmA= =Sf4I -----END PGP SIGNATURE----- Notes: - What is the source for the perl-5.6.1-tempfile-5.8.3-backport.patch ? ------- Additional Comments From marcdeslauriers 2005-03-05 15:30:25 ---- Hey John, the patch you backported in comment #1...there seems to be a bunch of stuff missing from it if I compare it to the one in Red Hat's bugzilla. For example: --- perl-5.8.3.orig/ext/DB_File/DB_File.pm Mon Jan 19 18:46:25 2004 +++ perl-5.8.3/ext/DB_File/DB_File.pm Mon Jan 19 20:14:11 2004 @@ -1821,7 +1821,7 @@ use DB_File ; my %hash ; - my $filename = "/tmp/filt" ; + my $filename = "/var/run/filt" ; unlink $filename ; my $db = tie %hash, 'DB_File', $filename, O_CREAT|O_RDWR, 0666, $DB_HASH @@ -1863,7 +1863,7 @@ use strict ; use DB_File ; my %hash ; - my $filename = "/tmp/filt" ; + my $filename = "/var/run/filt" ; unlink $filename ; What was your source? Am I missing something? ------- Additional Comments From jpdalbec 2005-03-07 03:24:51 ---- I had to strip out those hunks because they were already included in the existing perl-5.6.1-solartmp.patch. - FC1 includes only solar's tmpfile patch!?! Did you download the correct RPM? - FC2 has apparently been done against a previous version, not 5.8.3-18, as FC changes adding perl-5.8.3-empty-rpath.patch and perl-5.8.3-findbin-selinux.patch were lost. I haven't built an FC2 RPM yet so I don't know what you mean here. - There have been substantial amount of changes in the spec file for FC1 and FC2. Compared to RHL73 and RHL9, you mean? - RHL73 has the perlio and cgi.pm patches commented out (???). I couldn't find anything resembling the affected code in perlio.c; the affected code in CGI.pm was already commented out, prefaced by "# If anybody knows why I ever wrote this please tell me!" - In all the versions, perl-DBI patch has been commented out (??) I couldn't find DBI in the source tree. It appears to come from a different source RPM (perl-DBI). Should that be a separate bug? - in at least RHL73 and RHL9, there have been changes in PKGS line in the spec file, removing at least libgr-devel. Is there a reason for these changes? There is no libgr-devel package in RHL73 or RHL9. I think I removed a couple other packages that don't exist as well. - could you tell a bit about the methodology used to construct the tempfile backport for 5.6.1? 1. Add original patch to .spec file. 2. rpm -bp 3. See what hunks fail to apply. 4. If a hunk is already applied, remove it from the patch. 5. If nothing in the code looks like the hunk applies to it, remove the hunk from the patch. 6. Fix the remaining hunks. - Note that 5.8.3 does not completely solve the tempfile issues, at least this is what the remainder patch in gentoo leads to believe: http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-5.8.5-tempfiles.patch I'll take a look at it. On further review of the .spec file, PKGS doesn't matter because the filter selects only files in /usr/include/include/, which doesn't exist! Should I fix that? It doesn't seem to have bothered anyone so far, and it's not a security issue. The (RHL 7.3) package still builds OK if I make the change. Of course I still need to deal with the Mach issue unless we're not using Mach for our build system any more. Sorry, I thought 'perl-5.8.3-18.1.legacy.src.rpm' was for FC2, and .17.1.legacy for FC1, but I was wrong. In any case, I think perl-5.8.3-18.1.legacy.src.rpm needs to be renamed to be numerically smaller than FC2's package (perl-5.8.3-18.src.rpm), e.g., perl-5.8.3-17.2.legacy.src.rpm? With regard to the spec file changes, FC1 packages have a lot of whitespace changes which don't seem to be necessary? Perlio indeed doesn't seem to be needed for RHL73. Also agree on cgi.pm. Perl-DBI seems to require its own patches, yes. I'd prefer not to modify PKGS line from what has been shipped by Red Hat unless it's required for the packages to build. I guess I'd have to review the solartmp patch(es); the other patches look good as is. Created attachment 118908 [details] A test of CGI.pm my FC1 build of perl-5.8.3 fails (perl scripts and output) - related to perl-5.8.3-cgi.pm.patch Source QA for the Fedora Core 1 .src.rpm. c0c9e8b56e5a7ad86bd989072b88fa063d00be1d perl-5.8.3-18.1.legacy.src.rpm downloaded from www.fedoralegacy.org/contrib/perl, Sources: * source rpm perl-5.8.3.tar.gz appears pristine * All previous patches from FC1's perl-5.8.3-16.src.rpm are the same. Patches: I did my comparisons with similar patches from Debian. * perl-5.8.3-CAN-2004-0452-rmtree.patch: is superseded by the CAN-2005-0448 patch. Is properly commented out in the spec file. * perl-5.8.3-CAN-2005-0077-perl-DBI-tmpfile.patch: This patch does not belong with this .srpm package. Instead, it should patch the perl-DBI .srpm package (in FC1, perl-DBI-1.37-1.src.rpm). * perl-5.8.3-CAN-2005-0155-0156-perlio.patch: Same as Debian's. Good. * perl-5.8.3-CAN-2005-0448-rmtree.patch: Looks good. This is major sur- gery on lib/File/Path.pm, but this seems to be the standard fix. Only a very slight difference from Deiban's patch, and ours seems fine. ("<" Debian's; ">" ours): 44c44 < @@ -166,111 +157,129 @@ --- > @@ -166,111 +157,133 @@ 75c75,79 < + my ($dev, $ino) = lstat $path or return 0; --- > + my ($dev, $ino) = lstat $path or do { > + carp "Can't stat $prefix$path ($!)";# unless $!{ENOENT}; > + return 0; > + }; > + * perl-5.8.3-cgi.pm.patch: This patch causes some problems. When doing the build phase (rpmbuild -bc), during the regression tests, one of the tests of lib/CGI.pm fails (from my build log): lib/CGI/t/request....................FAILED at test 15 ... Failed 1 test script out of 821, 99.88% okay. ### Since not all tests were successful, you may want to run some of ### them individually and examine any diagnostic messages they ### produce. See the INSTALL document's section on "make test". The test does not fail on the CGI.pm in my present install of perl-5.8.3-16. I created a slightly more instrumented version of request.t, and ran it according to the INSTALL instructions (both request.t and my_request.t are enclosed, along with the output of both in tests.tar.gz): Am attempting to investigate whether or not this patch for perl-5.8.0 is valid for FC1's perl-5.8.3 .... It appears that this patch was sup- plied by an end-user and was thrown in by Red Hat for the RHEL 3 Linux product (see Bug #140227), during their fix (RHSA-2005-105). Note particularly where the the end user notes, "Later issues of perl seem to have this fixed." (Bug #140227 comment 0). John, does this test fail on any of your compiles/builds? Isn't the distro that you use RH 7.3? Does it fail in any other builds of other distros? ... to be continued ... Created attachment 119002 [details] comment9.tar.gz - patches, comments (see bug 152845 comment 9) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 da39e2723072e29a8e5831210f20591de1ab735c comment9.tar.gz (attached) * perl-5.8.3-cgi.pm.patch (continued): This patch is unnecessary and should be removed. The bug that perl-5.8.0-CGI-encoded-path.patch fixes in perl-5.8.0 appears to already be fixed in existing code in perl-5.8.3's CGI.pm. This patch adds a bit of code that essentially duplicates adding backslashes (or "quoting") certain characters that CGI.pm's existing use of the internal "quotemeta" Perl function already is doing, so including this patch breaks the code. For more details, see the file "About_perl-5.8.3-cgi.pm.patch_.txt" in the CGI.pm/ directory of the attached tarball. * perl-5.8.3-tempfile.patch -- This must the the solartmp patch, for CAN-2004-0976? It compares very favorably with the Debian patch for insecure tempfiles. It patches quite a bit more than the Debian patch (mostly documentation). It looks okay, but I have made a couple of tweaks for that patch file, that changes it to be a little more like Debian's patch in a few places where it makes sense to do so. The tweaks are in the attached tarball in directory tempfile/. The original file is "perl-5.8.3-tempfile.patch.ori", and my tweaked patch file is "perl-5.8.3-tempfile.patch". For comparison, Debian's patch is also there, called "09_fix_insecure_tempfiles", gleaned from their <http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.4-8.diff.gz>. * perl.spec -- Enclosed is an update to perl.spec from perl-5.8.3-18.1. src.rpm: 1) Changed the release to make it perl-5.8.3-17.3.legacy so it will not conflict with Fedora Core 2's perl 2) Restored the white-space that was in the previous release's, (perl-5.8.3-16's) specfile. 3) Removed the CAN-2005-0077 patch as it does not apply to this package. 4) Removed the perl-5.8.3-cgi.pm.patch, as discussed above. The "perl-5.8.3-16.spec" (from RH's FC1 perl update of March, 2004), "perl.spec.ori" (from perl-5.8.3-18.1.src.rpm), and "perl.spec" (my update) can all be found in the specfile/ directory of the tarball. I've built and installed rpms from the .src.rpm resulting from these changes, and run a number of perl programs from it, including a .cgi program, and all seem to work well. Plan to post an updated .src.rpm within the next day or so. If you have any thoughts or comments about the changes, please let me know. Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDLxZixou1V/j9XZwRAl4hAJ0caE2CgTKek7Ya3UXYUe95a7O9iACgwmcJ bApwyV+/K3m6EupY/STEROw= =yD3J -----END PGP SIGNATURE----- $ cat <comment 9> | expand | gpg --verify Bugzilla changes spaces to tabs so signature doesn't verify otherwise. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated perl package to QA for FC1. It updates John Dalbec's FC1 perl-5.8.3.18.1.legacy.src.rpm source package: 4cc87b1cc3df776fd4b938ee4ef335a92f3e0c20 perl-5.8.3-17.3.legacy.src.rpm http://www.fedoralegacy.org/contrib/perl/perl-5.8.3-17.3.legacy.src.rpm FC1 Changelog: (nb: I've munged email addresses here for spambots... Full email addy's are in srpm.) * Sun Sep 19 2005 David Eisenstein <deisenst@...> 3:5.8.3-17.3.legacy - - Remove patch1005: perl-5.8.3-cgi.pm.patch introduces a bug and is unnecessary. See bug # 152845 comment 9. * Tue Sep 13 2005 David Eisenstein <deisenst@...> 3:5.8.3-17.2.legacy - - Re-do version number for FC1 release so as not to conflict with FC2. - - Put whitespace back to make an easier compare with 5.8.3-16 - - Remove patch for CAN-2005-0077 since it patches perl-DBI package, not this one. * Thu Jul 14 2005 John Dalbec <jpdalbec@...> 3:5.8.3-18.1.legacy - - integrate fixes for CAN-2004-0452 CAN-2005-0077 CAN-2005-0155 CAN-2005-0156 CAN-2005-0448 and a CGI.pm DoS. * Thu Dec 9 2004 John Dalbec <jpdalbec@...> 3:5.8.3-17.1.legacy - - integrate tmpfile patch from OWL/solar designer Please test and comment. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDMQcwxou1V/j9XZwRAmXzAKCIHsOpwvJEOHDxa3Riq3HRg2OjwgCguFMy sSInPW+BsCtWu0DVPkkY8aI= =DdWb -----END PGP SIGNATURE----- It seems that Patch1001 could be commented out because it's not applied.. The two patches look good, but I'm still having issues with the solar tmpfile patch. The first version proposed by John was 30K. Debian has similar elements, but that's only 10K. It's nontrivial to figure out the rest. Do you know the source for the solar's patch? Is there something to compare the 30K patch we're using against? In the overlapping parts, there are some differences wrt. whether the paths are included or not compare "my $filename = filt" vs "my $filename = /var/run/filt" and on ppport.pm. It's not clear how I could determine which one is correct. I believe I created the solar tmpfile patch starting with the patch from bug #136325 ("needs backporting") and removed/fixed hunks that didn't apply or were already applied by the previous solar tmpfile patch. (In reply to comment #12) > It seems that Patch1001 could be commented out because it's not applied.. Can do. > The two patches look good, but I'm still having issues with the solar > tmpfile patch. The first version proposed by John was 30K. Debian has > similar elements, but that's only 10K. It's nontrivial to figure out the > rest. Do you know the source for the solar's patch? Is there something > to compare the 30K patch we're using against? I went through the patch file "perl-5.8.3-tempfile.patch" practically line- by-line, comparing it to both the Debian patch-file for tempfile issues and assessing the effect of most every patch in it to the original sources. I agree, at 30,629 bytes, it weighs in pretty big. Also it touches a lot of perl .pm files, some perhaps unnecessarily. When I reviewed all of the patches, where the hunks differ from Debian's usually ends up inconsequential. Why? Because the places it differs from Debian's is patching *documentation* -- sample code, not real code. A lot of that 30k of patch-file is changing the POD sections of those pm's -- those parts that are converted into Perl's man-pages. > In the overlapping parts, there are some differences wrt. whether the paths > are included or not compare "my $filename = filt" vs "my $filename = > /var/run/filt" and on ppport.pm. It's not clear how I could determine which > one is correct. I see what you mean, Pekka. Again, most of those places are doc sections. But I also see the difference in the hunk that patches "perl-5.8.3/ext/Devel/ PPPort/PPPort.pm". Although the solartmp patch may work there, the Debian patch is no doubt correct and looks better to me. Also many hunks of the solartmp patch are unnecessary, since all they are patching are docs, and we're interested in security issues. Making a doc say "$HOME/$file" instead of "/tmp/$file" is arguably not a security issue per se. Furthermore one of the hunks, the only patch to CGI.pm, --- perl-5.8.3.orig/lib/CGI.pm Mon Jan 19 18:46:25 2004 +++ perl-5.8.3/lib/CGI.pm Sun Jan 25 16:45:26 2004 @@ -2,6 +2,9 @@ require 5.004; use Carp 'croak'; +# XXX: The temporary file handling implemented in here is crap. It should +# be re-done making use of File::Temp. + # See the bottom of this file for the POD documentation. Search for the # string '=head'. seems a rather useless patch: even were the added comment demonstrably true, it's a bit unprofessional. If the patcher thinks the work should be done, then he should do it rather than adding desultory comments. The less unnecessary things we patch, the better. Would it be satisfactory to port the Debian patch to replace the solartmp patch, Pekka? John? Matt? Marc? Would anyone vote PUBLISH? Further, if I did this for the FC1 package, would it need to be backported to all the others? Oh, now I found the Owl original patch: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/perl/perl-5.8.3-owl-tmp.diff There was one relevant diff: [the first is Owl, the second is ours] < + unlink($TMP, '$SAFEDIR/a.out'); --- > + unlink($TMP, "$SAFEDIR/a.out"); .. though I think ours is correct because '$ENV' doesn't seem to make sense if the variable isn't expanded.. So, I can give FC1 version posted a PUBLISH. It's not fully clear what else may be needed. I.e., do we need new packages for other distros or are they good enough (but just lacking publish) ? Well, the only major problem that I found in the FC1 version, "perl-5.8.3- cgi.pm.patch", should not be an issue for the RH7.3 and RH9 versions of Perl. The RH9 version will probably be okay; but what were you QA'ing in Comment #4, Pekka? I'll look at the RH9 and RH7.3 packages hopefully shortly (am concentrating on Mozilla right now) and do source QA on them. Do we still need a source rpm package for FC2? My reading of this bugzilla is that one hasn't been proposed yet. I think John proposed FC2 package, but it didn't look good. I was looking at the RPMs that john had proposed in #3, AFAIR. (btw, I reported the solar tempfile issue with '' vs "" upstream, and they'll fix their patch.) That was a good idea, reporting the the tempfile issue regarding the '' quotes instead of the "" ones upstream. If I recall, this has been fixed upstream upstream by the Perl maintainers in the most recent Perl versions. Here's my understanding of the source packages that have been submitted for QA: Distro Comment # Submitted Package Name ====== ========= ========= =============================================== RH73 Old Bgzla 2004-12-10 perl-5.6.1-37.0.7.3.legacy.i386.rpm (superseded) RH73 Comment 3 2005-07-19 perl-5.6.1-38.0.7.3.legacy.src.rpm RH9 Old Bgzla 2004-12-10 perl-5.8.0-89.0.9.legacy.src.rpm (superseded) RH9 Comment 3 2005-07-19 perl-5.8.0-90.0.9.legacy.src.rpm FC1 Old Bgzla 2004-12-10 perl-5.8.3-17.1.legacy.src.rpm (superseded) FC1 Comment 3 2005-07-19 perl-5.8.3-18.1.legacy.src.rpm (superseded) FC1 Comment 11 2005-09-21 perl-5.8.3-17.3.legacy.src.rpm (PUBLISH?) FC2 (Not yet submitted) ============================================================================== The 5.8.3-18.1 was mistaken for an FC2 package when in fact John submitted it to be considered as an FC1 package. The confusion was due to the fact that the FC2 package released by Red Hat is numbered 5.8.3-18. That's why when I submitted the latest FC1 package, I renumbered it to 5.8.3-17.3. See FC1 changelog in comment 11. In any event, a FC2 .src.rpm package is needed. RHSA-2005:674-01 was issued a couple weeks ago for RHEL 4 (perl-5.8.5) to address CAN-2005-0448 (the rmtree issue). <http://rhn.redhat.com/errata/RHSA-2005-674.html> or <http://www.redhat.com/archives/enterprise-watch-list/2005-October/msg00006.html>. "Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0448 to this issue." (This CVE appears to not yet have been fixed for RHEL 3.) For CAN-2005-0448 on RHEL3 see bug 161053. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Source QA for the Red Hat 9 .src.rpm from comment 3. 091966a58e7ec33f338dc1cedc361f5329850784 perl-5.8.0-90.0.9.legacy.src.rpm downloaded from <www.fedoralegacy.org/contrib/perl>. Sources: * source tarball perl-5.8.0.tar.bz2 appears pristine. New Patches: I did patch comparisons with RHEL 3's perl-5.8.0-89.10.src.rpm from Feb 3, 2005 and also referencing similar (new) patches from the FC1 perl-5.8.3 sources. * perl-5.8.0-CAN-2004-0452-rmtree.patch: is superseded by the CAN-2005-0448 patch. Is properly commented out in the spec file so it it not applied. (Although moot, it does match RHEL 3's perl-5.8.0-rmtree.patch.) * perl-5.8.0-CAN-2005-0077-perl-DBI-tmpfile.patch: This patch does not belong with this .srpm package. Instead, it should patch the perl-DBI .srpm package (in RH9, perl-DBI-1.32-5.src.rpm). Though included, it is not applied, because there is nothing in here to apply it to. * perl-5.8.0-CAN-2005-0155-0156-perlio.patch: Same as RHEL 3's perl-5.8.0-bug33990.patch. Looks good. * perl-5.8.0-CAN-2005-0448-rmtree.patch: Looks good. Compares well with the similar patch in FC1's srpm, with minor alterations to fit 5.8.0's source file. * perl-5.8.0-cgi.pm.patch: This is the same patch as RHEL 3's perl-5.8.0-CGI-encoded-path.patch. Looks good. * perl-5.8.0-tempfile-5.8.3-backport.patch: This is a full implementation of the OWL/Solar temp patch. It includes the same bugs that we have noted before: 1) Line 732-733 -- Does the unlink($TMP, '$SAFEDIR/a.out'), rather than the more effective unlink($TMP, "$SAFEDIR/a.out"), that Pekka noticed in comment 15. 2) Lines 380, 389, and 490- These lines are attempting to replace: "/tmp/perldbtty$$" with: "/var/run/perldbtty$$" in both perl-5.8.0/lib/perl5db.pl and perl-5.8.0/pod/perlfaq5.pod In this instance, I agree with Debian's approach, which instead replaces: "/tmp/perldbtty$$" with: "$ENV{HOME}/.perldbtty$$". or something similar, both in live code and in documentation. This is an important change because no users except for root have access to create or maintain a "/var/run/xxx" file at all, but all users have permissions to write hidden files to their own home directory. * All other old patches and source-files are exactly the same (comparing to RHEL 3's perl-5.8.0-89.10.src.rpm from Feb 3, 2005), except for a couple of non-security fixes to the RHEL 3 Perl. I will attach an updated perl-5.8.0-tempfile-5.8.3-backport.patch in the next comment that fixes the two issues noted above. Although everything else is fine, I cannot vote PUBLISH on this package without these or similar fixes in place. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDVX7Gxou1V/j9XZwRAm9PAKD1ux64AmU99H1wcqlCZoGKvikFWwCgo6ZE gSohlCcPHwt7nYnp94WlMvU= =3rP7 -----END PGP SIGNATURE----- Created attachment 120146 [details] Proposed updated OWL/solar tempfile patch for RH9 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 221e6d1213f5f445bb8272368004526c5b3b380c perl-5.8.0-tempfile-5.8.3-backport.patch Here is a proposed update to the perl-5.8.0-tempfile-5.8.3-backport.patch file which was included in perl-5.8.0-90.0.9.legacy.src.rpm from comment 3. This updated patch file fixes a couple of errors (see comment 21). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDVYEdxou1V/j9XZwRAkLuAKCDBVB2ZABGph7IuY7YD9ZUrOVHlgCeLR8W wRgjAw6dnZqL2Jp5UWeHjg4= =3y+2 -----END PGP SIGNATURE----- $ cat {comment 22} | expand | unexpand | gpg --verify to GPG validate. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated perl package to QA for RH9. It updates John Dalbec's RH9 perl-5.8.0-90.0.9.legacy.src.rpm source package. http://www.fedoralegacy.org/contrib/perl/perl-5.8.0-90.0.10.legacy.src.rpm 0dac664e1c7ee89911a0aba52635481bd13ac9c5 perl-5.8.0-90.0.10.legacy.src.rpm RH9 Changelog: (nb: I've munged email addresses here for spambots... Full email addy's are in srpm.) * Sat Oct 22 2005 David Eisenstein <deisenst@...> 2:5.8.0-90.0.10.legacy - - Update perl-5.8.0-tempfile-5.8.3-backport.patch to correct some errors. - - Bugzilla #152845 * Thu Jul 14 2005 John Dalbec <jpdalbec@...> 2:5.8.0-90.0.9.legacy - - integrate fixes for CAN-2004-0452 CAN-2005-0077 CAN-2005-0155 CAN-2005-0156 CAN-2005-0448 and a CGI.pm DoS. * Thu Dec 9 2004 John Dalbec <jpdalbec@...> 2:5.8.0-89.0.9.legacy - - integrate tmpfile patch from OWL/solar designer - - add BuildRequires: glibc-devel gdbm-devel gpm-devel libjpeg-devel BuildRequires: libpng-devel libtiff-devel ncurses-devel popt BuildRequires: zlib-devel binutils e2fsprogs-devel pam BuildRequires: rpm-devel groff Please test and comment. Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDXKhVxou1V/j9XZwRAq1dAJ9fyjjMXQ1g/9YrjtfGTTk0OSWLHACfd+wG Z5FH763pI/bhHJr2u0HuQjs= =pMsC -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FC2 packages are available from http://www.fedoralegacy.org/contrib/perl/ sha1sums: 5afd74098e0cd7ac3f72791396f32bd25328e650 perl-5.8.3-19.2.legacy.i386.rpm 83d8db018eaab6c58922144773b32f2a7e775813 perl-5.8.3-19.2.legacy.src.rpm 98178e1f9b3ea035c7dd170cf6fa548e81ef0929 perl-suidperl-5.8.3-19.2.legacy.i386.rpm The packages build successfully in mach. changelog: * Wed Nov 23 2005 John Dalbec <jpdalbec@...> 3:5.8.3-19.2.legacy - - integrate tmpfile patch from OWL/solar designer - - integrate fixes for CAN-2004-0452 CAN-2005-0155 CAN-2005-0156 and CAN-2005-0448. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) iD8DBQFDjFZDJL4A+ldA7asRAnMpAJ93i+uoKhfmVgIFS/jyNVjxnQLqQgCffzGK iK85Mkx6Y7y6mTBDJw5Ojj4= =yFAT -----END PGP SIGNATURE----- I've a bit of lost track on whether new pkgs will be needed for FC1 and RHL73..? In comment #15, Pekka, you stated that you can give the FC1 version a PUBLISH. If we don't need a gpg signature around it, then FC1 has your PUBLISH vote already. No new packages are needed, AFAICT. A reckoning of votes needed so this can be officially built to be pushed to updates-testing: * RH73 (John Dalbec's from comment #3) needs publish QA. The result of that QA will determine if the .src.rpm is okay or if it needs something to be fixed in it or its patches. (Sorry I didn't get around to doing QA on this awhile back!) * RH9 (updated in comment #24) needs a publish QA, which I cannot do, since I submitted the .src.rpm. The update to the OWL/Solar tempfile patch I submitted in comment #22 is exclusively for the RH9 version of Perl for (small) errors I noted in comment #21's QA for RH9 Perl. (Please note all problems I found in comment #21 for RH9 were already fixed in the FC1 version of Perl.) * FC1 (updated in comment #11) should be ready to go; it fixes all relevant CVE's and bugs, and Pekka voted to PUBLISH in comment #15. Yes? * FC2 (John Dalbec's from comment #25) now needs publish QA. My real question was, "has anyone analyzed whether pkgs in #11 and #3 fix the same issues as revised RHL9 and FC2 packages?" I guess someone should just dive in and take a look.. I took look at RHL9, FC1 and FC2. They're all good, however, PKGS line in RHL9 should IMHO not be changed, and this can be fixed at build time. RHL73 is also good, except for the tempfile backport patch. I didn't go through it completely. It seems most stuff that has been left out of RHL73 is on man pages, but I didn't verify. Could someone else check this? a273e8ee1cb2002a50e902b80b99717dbb8dead4 perl-5.6.1-38.0.7.3.legacy.src.rpm 0dac664e1c7ee89911a0aba52635481bd13ac9c5 perl-5.8.0-90.0.10.legacy.src.rpm 4cc87b1cc3df776fd4b938ee4ef335a92f3e0c20 perl-5.8.3-17.3.legacy.src.rpm 83d8db018eaab6c58922144773b32f2a7e775813 perl-5.8.3-19.2.legacy.src.rpm Am looking into RHL73's perl-5.6.1 right now... a273e8ee1cb2002a50e902b80b99717dbb8dead4 perl-5.6.1-38.0.7.3.legacy.src.rpm -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Source QA for the Red Hat Linux 7.3 .src.rpm from comment 3. a273e8ee1cb2002a50e902b80b99717dbb8dead4 perl-5.6.1-38.0.7.3.legacy.src.rpm downloaded from <www.fedoralegacy.org/contrib/perl>. * source tarball perl-5.6.1.tar.gz appears pristine. * old patches in this .src.rpm are exactly the same as was in the previously released perl-5.6.1. * the spec-file looks good. New Patches: Pekka's already gone through these pretty thoroughly. He notes in comment #29, "RHL73 is also good, except for the tempfile backport patch. I didn't go through it completely. It seems most stuff that has been left out of RHL73 is on man pages, but I didn't verify." The combination of the older patch1002 (perl-5.6.1-solartmp.patch) and John's patch1003 (perl-5.6.1-tempfile-5.8.3-backport.patch) yields approximately the same OWL/solardesigner patch for CVE-2004-0976 we've seen in the other distros, which includes stuff for the .pod/.man pages. The only differences occur in the necessary changes for the backport process: hunks that don't apply are appropriately removed, and some other hunks take small tweaks to apply. The tempfile patches look good enough and complete. (With a mild reservation; see footnote in comment #32.)** I went through all the new patches anyway. Only 2 of the 6 included new patches are applied: >* 1003) perl-5.6.1-tempfile-5.8.3-backport.patch - checked out, OK. >* 1007) perl-5.6.1-CAN-2005-0448-rmtree.patch - checked out, OK. The other 4 new patch files: 1004) perl-5.6.1-CAN-2004-0452-rmtree.patch - not used, superseded by CAN-2005-0448 rmtree patch. 1005) perl-5.6.1-CAN-2005-0077-perl-DBI-tmpfile.patch - not used, patches a different .src.rpm, shouldn't be here. 1006) perl-5.6.1-CAN-2005-0155-0156-perlio.patch - not used, doesn't apply. Perl-5.6.1's perlio.c would not appear to be vulnerable to these issues, as there is no code for debugging in this much older .c file. 1008) perl-5.6.1-cgi.pm.patch - not used, doesn't apply. These 4 inapplicable patch files could be removed from the spec-file. But, with the exception of patch1005, it might be good to at least mention them there in spec-file comments, so future maintainers may know that these patches were omitted on purpose. In summary, everything looks ship-shape in these RHL 7.3 sources in perl-5.6.1-38.0.7.3.legacy.src.rpm. PUBLISH++ RHL73's perl-5.6.1-38.0.7.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDm5I+xou1V/j9XZwRAsdWAJ9UM1OFrbf2kG54FiR6wNN2GZRdWgCg4TkB UAsbAlXHEqZIAIHapiMjVmE= =A89e -----END PGP SIGNATURE----- Thanks! Created attachment 122107 [details] Possible revised perl-5.6.1-solartmp.patch for RHL73 Footnotes to comment 31: ------------ ** I have a minor nit with the old solartmp patch (perl-5.6.1- solartmp.patch) from Red Hat: the same nit I had for RH9's perl in comment 21 in point (2) of the tempfile-backport patch comments (which I fixed in RH9's and FC1's packages, to be like Debian's patch). The changes I would suggest would change lines 162, 171, and 202 of perl-5.6.1-solartmp.patch. 162c162 < +# uses the value of noTTY or "/var/run/perldbtty$$" to find TTY using --- > +# uses the value of noTTY or "$HOME/.perldbtty$$" to find TTY using 171c171 < + my $rv = $ENV{PERLDB_NOTTY} || "/var/run/perldbtty$$"; --- > + my $rv = $ENV{PERLDB_NOTTY} || "$ENV{HOME}/.perldbtty$$"; 202c202 < +startup, or C<"/var/run/perldbtty$$"> otherwise. This file is not --- > +startup, or C<"~/.perldbtty$$"> otherwise. This file is not But since everything else is fine, and Red Hat hadn't fixed this error in a recent patch it put into place for CVE-2004-0976 for FC4 (in perl-5.8.6-CAN-2004-0976.patch, <http://tinyurl.com/87kbv>, re- maining in <http://tinyurl.com/bxeyj>), I think we can let this go, for the purposes of getting this package voted PUBLISH to move on. (I've submitted Bug # 175467 to Red Hat for the FC4 bug.) Would anyone complain if a revised perl-5.6.1-solartmp.patch file (attached) were put in place at package build for updates-testing time? It would have the benefit of making the code pretty well match upstream perl-5.8.7. No objection from me. Solar Designer has accepted both Pekka's and my patches. See: <http://tinyurl.com/8a9ku> (CVS change log at cvsweb.openwall.com) Am in the process of building these in mach for updates-testing.... Created attachment 122440 [details] side-by-side diff listing of RH7.3 spec files -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Like John Dalbec, I found on the FL build server that perl in RH7.3 has problems building in mach, because it tries to run RPM during the build. My workaround was to take John's suggested workaround from comment 3, building the file-lists by hand that the rpm query commands in the build process would have created, then placing those file lists as files in the .src.rpm as Source11 and Source12. RH7.3 Perl now builds in mach okay on the build server. Any critique on this method of building Perl would be appreciated. Enclosed is a side-by-side difference listing of the previous perl.spec and the new perl.spec. Also, if you'd like to take a look at the full .src.rpm with the new spec-file, it is available to look at: 4f3aa62b967726046884fe9f3f33783b2278b9aa perl-5.6.1-38.0.7.3.2.legacy.src.rpm <http://fedoralegacy.org/contrib/perl/perl-5.6.1-38.0.7.3.2.legacy.src.rpm> I said that it builds in mach okay. Well, it mostly does. There is one error that is caught in the regression tests; that error does not cause the build to fail. It is this: . . . lib/safe3............FAILED at test 1 . . . Failed 1 test script out of 254, 99.61% okay. I am not sure what this error is about. Do any of you have any ideas? Do any of you that have a bona-fide RH7.3 environment (machine or vmware), can you try building the above .src.rpm and see if that error occurs when you build it? In case it helps, the build log from mach on jane (FL's build-server) is also available: c3a0a6500b3fdfc182574940dd9e71e55a1e1b0b perl-5.6.1-38.0.7.3.2.legacy.build.log <http://fedoralegacy.org/contrib/perl/perl-5.6.1-38.0.7.3.2.legacy.build.log>. Would appreciate any suggestions or thoughts. I am planning on going ahead and building RH9, FC1 and FC2 on the build server starting this evening. RH9 will, I think, require similar changes to build in mach as RH7.3 did. Thanks! --David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDp6RTxou1V/j9XZwRAitUAKCWrbAVlkZ+3FYTGcBYUripRjwtxgCg9I0P ZgYtuP2ZSWOnNZ9JU9xRHcI= =MYJq -----END PGP SIGNATURE----- I don't get the error on RH7.3, but that could just mean that it's using the installed Perl version. I note that safe3.t does not have execute permissions. Could that cause this problem? It looks like BuildRequires: bison is missing. @@ -551,8 +547,7 @@ Checking the size of uid_t... Checking the sign of uid_t... Checking the format string to be used for uids... -Which compiler compiler (byacc or yacc or bison -y) shall I use? -[/usr/bin/byacc] +Which compiler compiler (yacc) shall I use? [yacc] dbmclose() NOT found. <sys/file.h> found. We'll be including <sys/file.h>. Make that BuildRequires: byacc. I didn't realize they were different packages. OK, I've removed byacc and bison from my RHL 7.3 system and I still don't get a failure. (I guess it could be because I already installed the new Perl version.) If I can get Mach working I'll see if I can reproduce the error there. Otherwise, the only meaningful difference I see between the build logs is the kernel version. Created attachment 122469 [details]
Differences between build logs
I rebuilt the SRPM you provided using Mach 0.4.7 (customized to set
LD_PRELOAD=/usr/lib/libselinux-mach.so in $buildroot/root/.profile and using a
local mach-libselinux package to install libselinux-mach.so in the buildroot)
in a RH7.3 buildroot on a FC3 host. I didn't get the safe3 error. I have
kernel.vdso = 0 in /etc/sysctl.conf on the host. The command I used was LANG=C
nohup mach -d -f -r rh73l rebuild perl*.src.rpm > build.log 2>&1 &. I compared
your "perl*.build.log" to the "rpm.log" file that was generated.
Okay. I've figured it out. The problem is the newness of mach to yours truly. Sorry 'bout that. Instead of doing $ mach -r rh73 rebuild perl-5.6.1-38.0.7.3.3.legacy.src.rpm yours truly needed to do $ mach -r rh73u rebuild perl-5.6.1-38.0.7.3.3.legacy.src.rpm The first form on jane builds packages from the original os distribution RPMs. The second form builds packages from the most recently updated RPMs. Just now learned that. With that, the bug went away. safe3.t passes its test. Oh, and I added BuildRequires: byacc, since perl builds seem to prefer it if it's available. Your work and your comments were a great help, John. Thanks! New vulnerability: CVE-2005-3962: "Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap, as demonstrated using format string vulnerabilities in Perl applications." RedHat has issued RHSA-2005:881 (RHEL 3) and RHSA-2005:880 (RHEL 4) and also updates for FC3 and FC4 for this new issue. This is also mentioned in the FL thread starting at: <http://www.redhat.com/archives/fedora-legacy-list/2005-December/msg00010.html> and ending with <http://www.redhat.com/archives/fedora-legacy-list/2005-December/msg00065.html>. RHL 9, FC1, FC2 are affected, but RH7.3 isn't by this new issue. Do we (1) Open a new bugzilla for this issue? (2) Tackle this new issue here? I lean towards opening a new bug.... Created attachment 122692 [details]
Proposed text of Test Update Notification for this issue
Have built packages to be pushed to updates-testing. They yet
need to be signed.
Enclosed is a proposed text for the Test Update Notification when
these packages are signed and pushed to updates-testing. Please
let me know if you see any errors or omissions. Thanks. -David
Looks good. Packages were pushed to updates-testing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73 and RHL9. Very light QA only. "Seems to work" and a couple of perl-intensive script "appear to continue to work OK" :). Signatures OK. Someone can provide more intensive testing if feels like, but these updates should have gone out already a year ago so I'm not too picky... +VERIFY RHL73, RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDw2GzGHbTkzxSL7QRAs4AAJ456gJq1r7kXfpvXKpm+HO6UYBtsgCfYAGH FqpI8JXGDkFghtdpQuKL7/o= =+7Vm -----END PGP SIGNATURE----- Timeout over. Packages were released Am removing CAN-2005-0077 from the title of this bug ticket, as that issue was not handled in this bug, and a new Bugzilla ticket has been opened for this issue (Bug #178989). |