Debian Bug report logs -
#880458
libcatalyst-plugin-static-simple-perl: CVE-2017-16248: leaks files without extention, inadvertently
Reported by: Damyan Ivanov <dmn@debian.org>
Date: Tue, 31 Oct 2017 19:45:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version libcatalyst-plugin-static-simple-perl/0.31-1
Fixed in version libcatalyst-plugin-static-simple-perl/0.34-1
Done: Damyan Ivanov <dmn@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://rt.cpan.org/Public/Bug/Display.html?id=120558
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#880458; Package libcatalyst-plugin-static-simple-perl.
(Tue, 31 Oct 2017 19:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Damyan Ivanov <dmn@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Tue, 31 Oct 2017 19:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libcatalyst-plugin-static-simple-perl
Version: 0.31
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=120558
From upstream changelog for version 0.34:
Fix security vulnerability, when serving static files with dots in
the names (RT#120558)
Catalyst::Plugin::Static::Simple is a plugin for Catalyst, a web
framework in Perl. Its purpose is to serve static files, and it is
supposed to only serve files with extensions (from which it determines
the content type).
Due to the bug, however, any file under a directory whose name contains a
dot could be served.
the upstream fix is as follows:
--- a/lib/Catalyst/Plugin/Static/Simple.pm
+++ b/lib/Catalyst/Plugin/Static/Simple.pm
@@ -64,7 +64,7 @@ before prepare_action => sub {
}
# Does the path have an extension?
- if ( $path =~ /.*\.(\S{1,})$/xms ) {
+ if ( $path =~ /\.([^\/\\]+)$/m ) {
# and does it exist?
$c->_locate_static_file( $path );
}
That is, instead of matching one or more non-space characters between a
dot (including "/") and the end of the path, match one or more characters
different from "/" and "\" between a dot and the end of the path.
Cheers,
dam
No longer marked as found in versions 0.31.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 31 Oct 2017 20:27:08 GMT) (full text, mbox, link).
Marked as found in versions libcatalyst-plugin-static-simple-perl/0.31-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 31 Oct 2017 20:27:08 GMT) (full text, mbox, link).
Reply sent
to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility.
(Tue, 31 Oct 2017 21:09:06 GMT) (full text, mbox, link).
Notification sent
to Damyan Ivanov <dmn@debian.org>:
Bug acknowledged by developer.
(Tue, 31 Oct 2017 21:09:06 GMT) (full text, mbox, link).
Message #14 received at 880458-close@bugs.debian.org (full text, mbox, reply):
Source: libcatalyst-plugin-static-simple-perl
Source-Version: 0.34-1
We believe that the bug you reported is fixed in the latest version of
libcatalyst-plugin-static-simple-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 880458@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated libcatalyst-plugin-static-simple-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 31 Oct 2017 19:47:04 +0000
Source: libcatalyst-plugin-static-simple-perl
Binary: libcatalyst-plugin-static-simple-perl
Architecture: source
Version: 0.34-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Closes: 880458
Description:
libcatalyst-plugin-static-simple-perl - Catalyst plugin for easy serving of static pages
Changes:
libcatalyst-plugin-static-simple-perl (0.34-1) unstable; urgency=medium
.
* New upstream version 0.34
+ Closes: #880458 -- serves files without extension, inadvertently
* declare conformance with Policy 4.1.1 (no changes needed)
Checksums-Sha1:
4feb4d82a109a60a9fb5e66f99399afc62fadad0 2431 libcatalyst-plugin-static-simple-perl_0.34-1.dsc
b28bcd22bedc39f4b8dfa8d5ed7ac8a171a0e612 44596 libcatalyst-plugin-static-simple-perl_0.34.orig.tar.gz
0598f81bc279f4e993f57b8e575458f113e593cc 2632 libcatalyst-plugin-static-simple-perl_0.34-1.debian.tar.xz
Checksums-Sha256:
7ea4955a6b02d845a1c3374d4cee8031fc8773ab2e8fa3c67f3818f2d92b0125 2431 libcatalyst-plugin-static-simple-perl_0.34-1.dsc
daa62270c1d6cbd4e17dcbfdeebf77ec027ebe5e86035f5b3e0ac741721fddf2 44596 libcatalyst-plugin-static-simple-perl_0.34.orig.tar.gz
61e355ede5a2cc64bf751eb7f86cf16acb0a82c3fb203753fc3e427551b5ac40 2632 libcatalyst-plugin-static-simple-perl_0.34-1.debian.tar.xz
Files:
99dccbddb38dbe77bcf1c955d211786f 2431 perl optional libcatalyst-plugin-static-simple-perl_0.34-1.dsc
1bd8cd814bb81dcb5335d4bcfa617a30 44596 perl optional libcatalyst-plugin-static-simple-perl_0.34.orig.tar.gz
e28c21b43032450e09e9cd7ce1db0d81 2632 perl optional libcatalyst-plugin-static-simple-perl_0.34-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErqDETssFbpNjDZ0z276dTZnSoAQFAln403EACgkQ276dTZnS
oAT9SA//SmCtL6ZAIUHFSKzUljRa4CNhTJiTo927bK51MFj2dphM8XRzvZa47LSN
3bF7mrwCPnnjnN09LBp2uR15God/h43Iq5yxK2ZcfrbJwFMFqj345V1D9G/MyRqb
sqh/mdA2I6HhszLvgBnprWZ33LI3+stK3Oafpp2DYCaq1oz23lLSAMhFAW5NXRct
zPBF1/JMPmGpN4RZd+c+90oA6E+sqGhKzIYfGiOFEK2e+ZUN6mJFXhcpBfKo7Kbo
Jyp9+bd4r+xht7iNMZJg1nADR6GnX9bi80LFdNatqza16Hqvs2DGhbqpJGoY2YWx
XJLxVg4E0014gvqVsYetMnxSdSnrrghwMjk7eC/Td9z+lFm7ebO5RB5QErH1PA9l
mSbXSC5OPoOQAHnQsnbcyW3nh7VnoBASLvhn7HtjBbQYCJ31zj8Pqu1HkZTYysPV
jHpkQ9NG3jFTEj9kxw8nPlS8FgWjMcO7eidSTn/IIMOTmy14YJeKpkS2ubjNqWyB
nsvfNqIEqcVGZSkxW65md4XjzZ0kczTUTm7TG778/5UvFXF6TUt0jCEXF9BHeo4M
V1Hykox5OUsbDDb0O4wZyiu1JdN3XMUIRELre8d3An2eAqHQ8H5wEzZPgK1O/R2B
G3MFs2dQk/bXKShhpb/Iw++pUqvlrBW+PsptchEi+K2Gg+tpfW8=
=C4Q+
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#880458; Package libcatalyst-plugin-static-simple-perl.
(Wed, 01 Nov 2017 05:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 01 Nov 2017 05:39:04 GMT) (full text, mbox, link).
Message #19 received at 880458@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 libcatalyst-plugin-static-simple-perl: CVE-2017-16248: leaks files without extention, inadvertently
Hi
This issues has been assigned CVE-2017-16248.
Regards,
Salvatore
Changed Bug title to 'libcatalyst-plugin-static-simple-perl: CVE-2017-16248: leaks files without extention, inadvertently' from 'libcatalyst-plugin-static-simple-perl: leaks files without extention, inadvertently'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 880458-submit@bugs.debian.org.
(Wed, 01 Nov 2017 05:39:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 04 Dec 2017 07:28:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:36:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon