Debian Bug report logs -
#582978
perl: safe.pm code injection vulnerability
Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Tue, 25 May 2010 04:39:02 UTC
Severity: serious
Tags: security
Merged with 582806
Found in version perl/5.10.1-12
Fixed in versions perl/5.10.1-13, perl/5.12.0-1
Done: Niko Tyni <ntyni@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#582978; Package perl.
(Tue, 25 May 2010 04:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Niko Tyni <ntyni@debian.org>.
(Tue, 25 May 2010 04:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: perl
Version: 5.10.1-12
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for perl.
CVE-2010-1974[0]:
| Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
| before 2.25 for Perl allow context-dependent attackers to inject and
| execute arbitrary code via vectors related to "automagic methods."
| NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447.
The current version of perl in unstable has safe.pm 2.18, so that just
needs to be updated to version 2.25.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1974
http://security-tracker.debian.org/tracker/CVE-2010-1974
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#582978; Package perl.
(Tue, 25 May 2010 19:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list.
(Tue, 25 May 2010 19:57:03 GMT) (full text, mbox, link).
Message #10 received at 582978@bugs.debian.org (full text, mbox, reply):
forcemerge 582978 582806
thanks
On Mon, May 24, 2010 at 08:36:39PM -0400, Michael Gilbert wrote:
> Package: perl
> Version: 5.10.1-12
> Severity: serious
> Tags: security
I'm not totally convinced about the severity but let's leave it at
'serious' for now.
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for perl.
>
> CVE-2010-1974[0]:
> | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
> | before 2.25 for Perl allow context-dependent attackers to inject and
> | execute arbitrary code via vectors related to "automagic methods."
> | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447.
> The current version of perl in unstable has safe.pm 2.18, so that just
> needs to be updated to version 2.25.
If this is indeed considered 'serious', we need targeted fixes for a
stable update as well. I'm rather concerned about possible regressions.
I'm currently trying to come up with some test cases so that I could
understand the risks better. Help would be welcome. I wasn't particularly
well acquaintanced with Safe before this.
Upstream is now at 2.27, which has further related changes and was also
bundled with Perl 5.12.1. However, it causes regressions in (at least)
libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
two regressions don't happen with 2.25.
PostgreSQL has in the past used Safe.pm for its PL/perl extension, but
recently moved away from it, apparently due to CVE-2010-1169. Quoting
HISTORY in postgresql-8.4 (8.4.4-1):
Recent developments have convinced us that "Safe.pm" is too insecure
to rely on for making plperl trustable.
FWIW, there seems to be a general agreement that Safe.pm is a "failed
experiment".
http://www.nntp.perl.org/group/perl.perl5.porters/2010/03/msg158034.html
http://www.nntp.perl.org/group/perl.perl5.porters/2010/04/msg159471.html
--
Niko Tyni ntyni@debian.org
Forcibly Merged 582806 582978.
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Tue, 25 May 2010 19:57:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#582978; Package perl.
(Fri, 28 May 2010 09:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list.
(Fri, 28 May 2010 09:30:03 GMT) (full text, mbox, link).
Message #17 received at 582978@bugs.debian.org (full text, mbox, reply):
On Tue, May 25, 2010 at 10:53:56PM +0300, Niko Tyni wrote:
> > CVE-2010-1974[0]:
> > | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
> > | before 2.25 for Perl allow context-dependent attackers to inject and
> > | execute arbitrary code via vectors related to "automagic methods."
> > | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447.
>
> > The current version of perl in unstable has safe.pm 2.18, so that just
> > needs to be updated to version 2.25.
>
> If this is indeed considered 'serious', we need targeted fixes for a
> stable update as well. I'm rather concerned about possible regressions.
>
> I'm currently trying to come up with some test cases so that I could
> understand the risks better. Help would be welcome. I wasn't particularly
> well acquaintanced with Safe before this.
While I haven't had the time for this (and won't have before the next
week), I think the right thing to do here is indeed to update the sid
version to 2.25 (but not 2.27, which is a more intrusive change) as
upstream clearly recommends that in
http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html
I'm still a bit worried about regressions, so I'm not going to do this
in a separate urgency bumped upload, but rather include it with other
accumulated bug fixes.
I'm deliberately ignoring stable for the moment until I find the time
to delve into this properly.
--
Niko Tyni ntyni@debian.org
Reply sent
to Niko Tyni <ntyni@debian.org>:
You have taken responsibility.
(Sun, 30 May 2010 22:03:29 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sun, 30 May 2010 22:03:29 GMT) (full text, mbox, link).
Message #22 received at 582978-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.10.1-13
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.10.1-13_all.deb
to main/p/perl/libcgi-fast-perl_5.10.1-13_all.deb
libperl-dev_5.10.1-13_amd64.deb
to main/p/perl/libperl-dev_5.10.1-13_amd64.deb
libperl5.10_5.10.1-13_amd64.deb
to main/p/perl/libperl5.10_5.10.1-13_amd64.deb
perl-base_5.10.1-13_amd64.deb
to main/p/perl/perl-base_5.10.1-13_amd64.deb
perl-debug_5.10.1-13_amd64.deb
to main/p/perl/perl-debug_5.10.1-13_amd64.deb
perl-doc_5.10.1-13_all.deb
to main/p/perl/perl-doc_5.10.1-13_all.deb
perl-modules_5.10.1-13_all.deb
to main/p/perl/perl-modules_5.10.1-13_all.deb
perl-suid_5.10.1-13_amd64.deb
to main/p/perl/perl-suid_5.10.1-13_amd64.deb
perl_5.10.1-13.debian.tar.gz
to main/p/perl/perl_5.10.1-13.debian.tar.gz
perl_5.10.1-13.dsc
to main/p/perl/perl_5.10.1-13.dsc
perl_5.10.1-13_amd64.deb
to main/p/perl/perl_5.10.1-13_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 582978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 30 May 2010 11:09:48 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all amd64
Version: 5.10.1-13
Distribution: unstable
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.10 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
perl-suid - runs setuid Perl scripts
Closes: 289884 578577 579537 582978
Changes:
perl (5.10.1-13) unstable; urgency=low
.
* [SECURITY] CVE-2010-1974: Update to Safe-2.25, fixing code injection
and execution vulnerabilities. (Closes: #582978)
* Add conflicts/replaces/provides for the new libswitch-perl,
libclass-isa-perl, and libpod-plainer-perl packages. (See #580034)
* Fix a tell() crash on bad arguments. (Closes: #578577)
* Fix a format/write crash. (Closes: #579537)
* Prevent gcc from optimizing the u32align check away, finally fixing
MD5 on armel. Thanks to Marc Pignat. (Closes: #289884)
* Fix a test failure in CGI/t/fast.t when FCGI is available.
Checksums-Sha1:
af6ee28791c7d35fcd158bc95d0672df80622323 1388 perl_5.10.1-13.dsc
df50c8f7c39a36d0878b894ddbc5dd6f319e6cd5 106766 perl_5.10.1-13.debian.tar.gz
e152312561afddeda98df8a6416c40a9f9ddee9f 52400 libcgi-fast-perl_5.10.1-13_all.deb
7eb07d95da60f1e4a1fc5f4ff37cccfb30f1fb91 7187676 perl-doc_5.10.1-13_all.deb
2c5788cab2bd1913e14f08fc9f3910d77b44ec53 3480936 perl-modules_5.10.1-13_all.deb
8d9994652ae3f1b384bf4aaed4d1fd2d931ff1c1 1064366 perl-base_5.10.1-13_amd64.deb
f11bf8a4ccdaf1340fe2ff7bfc75d139ed6ce8f4 5834888 perl-debug_5.10.1-13_amd64.deb
146eba17e3b3cd4f1061b33b77916d30df1134f0 34644 perl-suid_5.10.1-13_amd64.deb
5286364f4a7a58216f90f64ca134f03e946d809f 1152 libperl5.10_5.10.1-13_amd64.deb
dd854fe3c02d0d6cd5872f3eafbf255e9882f09e 2560924 libperl-dev_5.10.1-13_amd64.deb
cd57eb123069f4c22f2b0505d9935961d55a4366 4460768 perl_5.10.1-13_amd64.deb
Checksums-Sha256:
de2e030eaba12e235b7f748d638d592af3d90c887b1e1b63241312986fa3091f 1388 perl_5.10.1-13.dsc
c931b48f4f59db60941789d8e1867e43215aa6a7b5d3b74244536ad3b3e796f5 106766 perl_5.10.1-13.debian.tar.gz
c56e1f0b6398066ea0ed83da3d0070cde463d18e35fd58cefa9865fd3b0b3282 52400 libcgi-fast-perl_5.10.1-13_all.deb
7fd774e6df3ec0fff4ebcb4c41d6f087b6405d4393228204c6c99481b7b9a2b7 7187676 perl-doc_5.10.1-13_all.deb
dd5c0062836a53acaad3556f60a00c209157803d10fe5857073d8bb946c48bd0 3480936 perl-modules_5.10.1-13_all.deb
14cd03d68489b28c73f0256908ddf55d254912ab1774c5ccf388727f345a905c 1064366 perl-base_5.10.1-13_amd64.deb
a2aae4a8d663ec7cd6ae0454400237c8bdb92ae75827bd40925f9be3d317cfa4 5834888 perl-debug_5.10.1-13_amd64.deb
c5f6883c0673fe85465fe36f02eea589aee6759ae3db1de42b42492f85bd36a5 34644 perl-suid_5.10.1-13_amd64.deb
54b30c9016a23150115b6cc49a06f014b1dcdd680bd09a76b9b234d4aa2d2301 1152 libperl5.10_5.10.1-13_amd64.deb
e9a761b602cb309745bd6986d32d64443cd96941b76f044d50c299e334ac7867 2560924 libperl-dev_5.10.1-13_amd64.deb
848488507bf3ddbfba934be314b54f5dac4b2c9b7503c84c31aaa6c42df0563e 4460768 perl_5.10.1-13_amd64.deb
Files:
ba4a4f7fd8546f581135dd705dc2812a 1388 perl standard perl_5.10.1-13.dsc
c600f2eb3701213fc7139daa9f4c8444 106766 perl standard perl_5.10.1-13.debian.tar.gz
a966835e21a92568b16c63027e8d29b9 52400 perl optional libcgi-fast-perl_5.10.1-13_all.deb
6e4eeaddc89a01f37541d7c82071a211 7187676 doc optional perl-doc_5.10.1-13_all.deb
3ea37b5cbacf1b6409cd96140c85d530 3480936 perl standard perl-modules_5.10.1-13_all.deb
98056788e2a3cc4a7d4e0ebcf6d786b1 1064366 perl required perl-base_5.10.1-13_amd64.deb
22634c4139eb93c235f696783c153f8a 5834888 debug extra perl-debug_5.10.1-13_amd64.deb
efd1fa0368f796cf74829b129b38da40 34644 perl optional perl-suid_5.10.1-13_amd64.deb
9c0ac214caedf6e262209367454ec26c 1152 libs optional libperl5.10_5.10.1-13_amd64.deb
126d61c96d443cf7f92040f14fed3a74 2560924 libdevel optional libperl-dev_5.10.1-13_amd64.deb
073554354b585544168302ece7598a6f 4460768 perl standard perl_5.10.1-13_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwC04gACgkQiyizGWoHLTmtpACgjeKg81KuNiP3vfE6+Eccw0eL
4j8An1of7azrWWS6F5vFnGzvLnr+zQC/
=M9ul
-----END PGP SIGNATURE-----
Reply sent
to Niko Tyni <ntyni@debian.org>:
You have taken responsibility.
(Sun, 30 May 2010 22:03:30 GMT) (full text, mbox, link).
Notification sent
to Niko Tyni <ntyni@debian.org>:
Bug acknowledged by developer.
(Sun, 30 May 2010 22:03:30 GMT) (full text, mbox, link).
Bug Marked as fixed in versions perl/5.12.0-1.
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Mon, 31 May 2010 06:39:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 11 Aug 2010 07:33:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:41:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon