Bug 1128979 - perl-Plack: trailing slashes removed leading to source code disclosure [fedora-all]
Summary: perl-Plack: trailing slashes removed leading to source code disclosure [fedor...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-Plack
Version: 20
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ralf Corsepius
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: fst_owner=Sparks
Depends On:
Blocks: CVE-2014-5269
TreeView+ depends on / blocked
 
Reported: 2014-08-12 02:44 UTC by Murray McAllister
Modified: 2015-01-04 22:41 UTC (History)
5 users (show)

Fixed In Version: perl-Plack-1.0031-1.fc20
Clone Of:
Environment:
Last Closed: 2014-08-28 15:30:33 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Murray McAllister 2014-08-12 02:44:57 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When submitting as an update, use the fedpkg template provided in the next
comment(s).  This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.

NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time.  If you need to fix the versions independent of each other,
you may clone this bug as appropriate.

[bug automatically created by: add-tracking-bugs]

Comment 1 Murray McAllister 2014-08-12 02:45:05 UTC
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug.  This will ensure that all associated bugs get updated
when new packages are pushed to stable.

=====

# bugfix, security, enhancement, newpackage (required)
type=security

# testing, stable
request=testing

# Bug numbers: 1234,9876
bugs=1128978,1128979

# Description of your update
notes=Security fix for 

# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3

# Automatically close bugs when this marked as stable
close_bugs=True

# Suggest that users restart after update
suggest_reboot=False

======

Additionally, you may opt to use the bodhi update submission link instead:

https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1128978,1128979

Comment 2 Ralf Corsepius 2014-08-12 03:08:01 UTC
Oh boy, yet more bureaucracy!

Folks, Plack-1.0031 already is in f22 and rawhide, but I could not update f19 and f20 because perl-File-ShareDir-Install in f20 and f19 is too old (not worth mentioning epel7, which IMO is unmaintainable).

So, instead of molesting maintainers with bureaucratic forms, better help out pushing these package builts, ASAP, such that perl-Plack-1.0031 can be submitted:

https://admin.fedoraproject.org/updates/FEDORA-2014-9291/perl-File-ShareDir-Install-0.08-2.fc19

https://admin.fedoraproject.org/updates/FEDORA-2014-9317/perl-File-ShareDir-Install-0.08-2.fc20

Comment 3 Murray McAllister 2014-08-12 03:22:43 UTC
Thanks for pointing out that problem.

Eric, can your Fedora Security Team people look into the above problem?

Comment 4 Eric Christensen 2014-08-12 13:35:41 UTC
(In reply to Ralf Corsepius from comment #2)
> Oh boy, yet more bureaucracy!

I'm not sure what bureacuracy you are speaking of as this has been standard procedure for years.

> Folks, Plack-1.0031 already is in f22 and rawhide, but I could not update
> f19 and f20 because perl-File-ShareDir-Install in f20 and f19 is too old
> (not worth mentioning epel7, which IMO is unmaintainable).

So you need the below mentioned updates for your Plack update?  It looks like they were just recently pushed to testing to testing and adding karma will be the way to get them out the door sooner.

> So, instead of molesting maintainers with bureaucratic forms, better help
> out pushing these package builts, ASAP, such that perl-Plack-1.0031 can be
> submitted:

There is no molestation occurring here.  If these packages are needed for your update then by all means test them against your package and provide karma.  It's what we packagers do.

> https://admin.fedoraproject.org/updates/FEDORA-2014-9291/perl-File-ShareDir-
> Install-0.08-2.fc19
> 
> https://admin.fedoraproject.org/updates/FEDORA-2014-9317/perl-File-ShareDir-
> Install-0.08-2.fc20

Comment 5 Ralf Corsepius 2014-08-12 14:10:59 UTC
(In reply to Eric Christensen from comment #4)
> (In reply to Ralf Corsepius from comment #2)
> > Oh boy, yet more bureaucracy!
> 
> I'm not sure what bureacuracy you are speaking of as this has been standard
> procedure for years.

Right - And I have been repeatedly complaining about this bureaucracy for years. Unfortunately nothing has improved. Openly said, I feel Fedora's bureaucracy is ballooning and has never been bigger.

> > Folks, Plack-1.0031 already is in f22 and rawhide, but I could not update
> > f19 and f20 because perl-File-ShareDir-Install in f20 and f19 is too old
> > (not worth mentioning epel7, which IMO is unmaintainable).
> 
> So you need the below mentioned updates for your Plack update?
Exactly. 

Like many other perl modules, Plack has a long dependency chain, which needs to be kept quite close to "current", otherwise quick responses to bugs aren't possible. This time, perl-File-ShareDir in fc19 and fc20 weren't new enough.

>  It looks
> like they were just recently pushed to testing to testing and adding karma
> will be the way to get them out the door sooner.
*I* submitted them a couple of days ago and they are in Fedora's (7 day) release _delay_ queue.

[BTW: In recent times, the 7 days quite often prove to be 10-14 days.
e.g. https://admin.fedoraproject.org/updates/FEDORA-2014-9066/perl-Mail-GnuPG-0.20-1.fc20]

> > So, instead of molesting maintainers with bureaucratic forms, better help
> > out pushing these package builts, ASAP, such that perl-Plack-1.0031 can be
> > submitted:
> 
> There is no molestation occurring here.
C'mon, stop cheating.

No-molestation would equal to no additional effort and to complete ignore you. Distribution-wise, would not change anything.

Do you want me to do this or are you insisting on me reading your mails, closing the BZ and fill your the form?

Do you notice something? No molestation is different.

>  If these packages are needed for
> your update then by all means test them against your package and provide
> karma.  It's what we packagers do.
Another self-cheat. Just have a look at how many updates I have pushed (I guess 1000s). Hardly any of them has received karma. This karma-stuff is non-functional non-sense.

Comment 6 Emmanuel Seyman 2014-08-12 14:47:37 UTC
(In reply to Ralf Corsepius from comment #5)
>
> Like many other perl modules, Plack has a long dependency chain, which needs
> to be kept quite close to "current", otherwise quick responses to bugs
> aren't possible.

Given that the patch that fixes the security is a one-liner, I think this is a difficulty you're imposing on yourself more than it is a hard requirement.

Comment 7 Ralf Corsepius 2014-08-13 07:59:03 UTC
(In reply to Emmanuel Seyman from comment #6)
> (In reply to Ralf Corsepius from comment #5)
> >
> > Like many other perl modules, Plack has a long dependency chain, which needs
> > to be kept quite close to "current", otherwise quick responses to bugs
> > aren't possible.
> 
> Given that the patch that fixes the security is a one-liner, I think this is
> a difficulty you're imposing on yourself more than it is a hard requirement.

No, it's an upstream requirement. Plack-1.0031 requires perl(File::ShareDir::Install) >= 0.06

This requirement is fullfilled on EPEL7, fc21 and f22, while the versions in fc19 and fc20 are *outdated*

Comment 8 Emmanuel Seyman 2014-08-13 09:57:18 UTC
(In reply to Ralf Corsepius from comment #7)
>
> No, it's an upstream requirement. Plack-1.0031 requires
> perl(File::ShareDir::Install) >= 0.06

Fixing this bug does not require updating perl-Plack to 1.0031. You can stay on 1.0030 and apply the patch that fixes the vulnerability.

Comment 9 Ralf Corsepius 2014-08-13 13:57:51 UTC
(In reply to Emmanuel Seyman from comment #8)
> (In reply to Ralf Corsepius from comment #7)
> >
> > No, it's an upstream requirement. Plack-1.0031 requires
> > perl(File::ShareDir::Install) >= 0.06
> 
> Fixing this bug does not require updating perl-Plack to 1.0031. You can stay
> on 1.0030 and apply the patch that fixes the vulnerability.

Why should I? Just to push an update, which would be obsoleted at the time it is released? 

Let's take this thread to an end. I'll further on disgard it and further CVEs.

Comment 10 Eric Christensen 2014-08-13 15:09:33 UTC
(In reply to Ralf Corsepius from comment #9)
> Let's take this thread to an end. I'll further on disgard it and further
> CVEs.

That's fine.  Depending on the severity of the CVE your package may be patched for you or retired from the repositories.

Comment 11 Ralf Corsepius 2014-08-13 16:17:46 UTC
(In reply to Eric Christensen from comment #10)
> (In reply to Ralf Corsepius from comment #9)
> > Let's take this thread to an end. I'll further on disgard it and further
> > CVEs.
> 
> That's fine.  Depending on the severity of the CVE your package may be
> patched for you or retired from the repositories.

You still haven't got it: The update is on it's way. I am simply not playing it nice to your bureaucratic games, which is an utter waste of time.

Comment 12 Eric Christensen 2014-08-13 17:59:27 UTC
(In reply to Ralf Corsepius from comment #11)
> (In reply to Eric Christensen from comment #10)
> > (In reply to Ralf Corsepius from comment #9)
> > > Let's take this thread to an end. I'll further on disgard it and further
> > > CVEs.
> > 
> > That's fine.  Depending on the severity of the CVE your package may be
> > patched for you or retired from the repositories.
> 
> You still haven't got it: The update is on it's way. I am simply not playing
> it nice to your bureaucratic games, which is an utter waste of time.

Okay, I'm not sure what you are calling "bureaucratic games".  If it's just too difficult to add the bug numbers that are fixed in bodhi then... I guess I have no words for you to make you feel better about all this bureaucracy.  The nerve of someone asking you to enter a couple of numbers into a form you already have to fill out is beyond me.

Comment 13 Fedora Update System 2014-08-18 03:02:32 UTC
perl-Plack-1.0031-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/perl-Plack-1.0031-1.fc20

Comment 14 Fedora Update System 2014-08-18 03:02:39 UTC
perl-Plack-1.0031-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/perl-Plack-1.0031-1.fc19

Comment 15 Fedora Update System 2014-08-19 07:06:04 UTC
Package perl-Plack-1.0031-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-Plack-1.0031-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9542/perl-Plack-1.0031-1.fc20
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2014-08-28 15:30:33 UTC
perl-Plack-1.0031-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2014-08-28 15:33:48 UTC
perl-Plack-1.0031-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.