Bug#862674: marked as done (unblock: libconfig-model-perl/2.097-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 16 May 2017 16:45:47 +0000
with message-id <E1dAfbX-0003yU-NK@respighi.debian.org>
and subject line unblock libconfig-model-perl
has caused the Debian Bug report #862674,
regarding unblock: libconfig-model-perl/2.097-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862674: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862674
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libconfig-model-perl/2.097-2
• From: Dominique Dumont <dod@debian.org>
• Date: Mon, 15 May 2017 18:55:26 +0200
• Message-id: <[🔎] 149486732670.25381.17242608883113120374.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello

Please unblock package libconfig-model-perl

This new version fixes 2 security issues:
 * add patch to remove 'use lib' (CVE-2017-0373)
 * add patch to remove '.' in @INC emulation (CVE-2017-0374)

debian/rules was modified to add '.' in @INC so the tests don't fail.

You can find there the 2 patches in a format slightly more readable than the attached debdiff:

https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/tree/debian/patches/remove-use-lib?h=debian/2.097-2
https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/tree/debian/patches/remove-inc-dot-emulation?h=debian/2.097-2

Links to the CVEs:
https://security-tracker.debian.org/tracker/CVE-2017-0373
https://security-tracker.debian.org/tracker/CVE-2017-0374

Thanks

unblock libconfig-model-perl/2.097-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libconfig-model-perl-2.097/debian/changelog libconfig-model-perl-2.097/debian/changelog
--- libconfig-model-perl-2.097/debian/changelog	2016-12-22 19:18:27.000000000 +0100
+++ libconfig-model-perl-2.097/debian/changelog	2017-05-14 18:20:55.000000000 +0200
@@ -1,3 +1,12 @@
+libconfig-model-perl (2.097-2) unstable; urgency=medium
+
+  * add patch to remove 'use lib' (CVE-2017-0373)
+  * add patch to remove '.' in @INC emulation (CVE-2017-0374)
+  * rules: add '.' in @INC for tests
+  * package for stretch release only
+
+ -- Dominique Dumont <dod@debian.org>  Sun, 14 May 2017 18:20:55 +0200
+
 libconfig-model-perl (2.097-1) unstable; urgency=medium
 
   * New upstream version 2.097
diff -Nru libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation
--- libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation	1970-01-01 01:00:00.000000000 +0100
+++ libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation	2017-05-14 18:20:55.000000000 +0200
@@ -0,0 +1,47 @@
+Description: Remove inc dot emulation
+ Using '.' in @INC while loading models and model snippts allows to
+ run arbitrary code by specially crafted models placed in the current
+ working directory (as an aftermath of the fixes for the removal of
+ '.' in @INC in perl).
+.
+ This patch removes the search in '.' and fixes the collateral
+ damage. Note that tests must be run with PERL5LIB=. variable so model
+ files can be searched in '.' only during tests.
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-0374
+Author: Dominique Dumont <dod@debian.org>
+Origin: upstream
+Applied-Upstream: v2.102
+--- a/lib/Config/Model.pm
++++ b/lib/Config/Model.pm
+@@ -1198,7 +1198,7 @@
+     # look for additional model information
+     my %model_graft_by_name;
+     my %done;  # avoid loading twice the same snippet (where system version may clobber dev version)
+-    foreach my $inc (@INC,'.') {
++    foreach my $inc (@INC) {
+         foreach my $name ( keys %models_by_name ) {
+             my $snippet_path = $name;
+             $snippet_path =~ s/::/\//g;
+@@ -1206,6 +1206,13 @@
+             get_logger("Model::Loader")->trace("looking for snippet in $snippet_dir");
+             if ( -d $snippet_dir ) {
+                 foreach my $snippet_file ( glob("$snippet_dir/*.pl") ) {
++
++                    # $snippet_file is constructed from @INC content
++                    # (i.e. $inc). Since _load_model_in_hash uses 'do'
++                    # (which searches in @INC), the file path passed
++                    # to _load_model_in_hash must be relative to $inc.
++                    $snippet_file = substr $snippet_file, length($inc) + 1;
++
+                     my $done_key = $name . ':' . $snippet_file;
+                     next if $done{$done_key};
+                     get_logger("Model::Loader")->info("Found snippet $snippet_file");
+@@ -1260,7 +1267,7 @@
+     get_logger("Model::Loader")->info("load model $load_file");
+ 
+     my $err_msg = '';
+-    $load_file = "./$load_file" if $load_file !~ m!^/! and -e $load_file ;
++    # do searches @INC if the file path is not absolute
+     my $model   = do $load_file;
+ 
+     unless ($model) {
diff -Nru libconfig-model-perl-2.097/debian/patches/remove-use-lib libconfig-model-perl-2.097/debian/patches/remove-use-lib
--- libconfig-model-perl-2.097/debian/patches/remove-use-lib	1970-01-01 01:00:00.000000000 +0100
+++ libconfig-model-perl-2.097/debian/patches/remove-use-lib	2017-05-14 18:20:55.000000000 +0200
@@ -0,0 +1,16 @@
+Description: Remove use lib from GenClassPod.pm
+ genclasspod: remove use lib, not needed and causes a security hole when using cme on untrusted Debian package files
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-0373
+Author: Dominique Dumont <dod@debian.org>
+Origin: upstream
+Applied-Upstream: v 2.102
+--- a/lib/Config/Model/Utils/GenClassPod.pm
++++ b/lib/Config/Model/Utils/GenClassPod.pm
+@@ -17,7 +17,6 @@
+ use parent qw(Exporter);
+ our @EXPORT = qw(gen_class_pod);
+ 
+-use lib qw/lib/;
+ use Path::Tiny ;
+ use Config::Model ;             # to generate doc
+ 
diff -Nru libconfig-model-perl-2.097/debian/patches/series libconfig-model-perl-2.097/debian/patches/series
--- libconfig-model-perl-2.097/debian/patches/series	2016-12-22 19:18:27.000000000 +0100
+++ libconfig-model-perl-2.097/debian/patches/series	2017-05-14 18:20:55.000000000 +0200
@@ -1,2 +1,4 @@
 #fix-cryptic-message
 fix-debci
+remove-use-lib
+remove-inc-dot-emulation
diff -Nru libconfig-model-perl-2.097/debian/rules libconfig-model-perl-2.097/debian/rules
--- libconfig-model-perl-2.097/debian/rules	2016-12-22 19:18:27.000000000 +0100
+++ libconfig-model-perl-2.097/debian/rules	2017-05-14 18:20:55.000000000 +0200
@@ -11,4 +11,4 @@
 
 override_dh_auto_test:
 	mkdir -p $(BUILDHOME)
-	HOME=$(BUILDHOME) dh_auto_test
+	PERL5LIB=. HOME=$(BUILDHOME) dh_auto_test

--- End Message ---

--- Begin Message ---

• To: 862674-done@bugs.debian.org
• Subject: unblock libconfig-model-perl
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Tue, 16 May 2017 16:45:47 +0000
• Message-id: <E1dAfbX-0003yU-NK@respighi.debian.org>

Unblocked libconfig-model-perl.

--- End Message ---