Bug#764534: wheezy-pu: package libplack-perl/0.9989-1+deb7u1

Wed, 08 Oct 2014 14:19:20 -0700 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

We would like to update libplack-perl in wheezy to fix CVE-2014-5269
there.

The bug is fixed in unstable and testing with the 1.0031-1 upload
from August, and with 0.9941-1+deb6u1 in squeeze-lts recently.

0.9989-1+deb7u1 contains one cherry-picked upstream commit as a quilt
patch, which effectively changes one line (or more precisely: one
regexp) in the code. The patch also adds a test, and has a rather
long upstream commit message :)

Changelog:

libplack-perl (0.9989-1+deb7u1) UNRELEASED; urgency=medium

  * Include bc1731d from 1.0031 release to fix CVE-2014-5269.
    Plack::App::File would previously strip trailing slashes off provided
    paths. This could under specific circumstances lead to the unintended
    delivery of files. For details see the pull request message preserved
    in debian/patches/01-fix-CVE-2014-5269.patch.

 -- gregor herrmann <gre...@debian.org>  Wed, 08 Oct 2014 23:01:55 +0200


Full git-diff attached.


Cheers,
gregor

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUNamUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoG0DYP/3cJf99F585GjWmRUpgLlswn
DHSCiVFF9xFVhOezl6v8+z4gx4Jya4ODUH8IuERm4/fBOuRli5XH443OQTNV+yUD
vwgn3vpc09XaJ+kG+tYXltgAb0IRrT1Wu4m6a5ovc9xJn0b00xCapVoRXsZb8LPj
BJ6zWOwEWvlQ6XGM0v7gMWyWxSFEjt3FnBPKcteJ1uc84ZwpOejOmlJVqaskxAbT
0sfyQUaLawFxTmUne7CA5U7tul4YkYhmuBdj62i0Oqe4BIy4C24QABTCrV9MuMdb
2vqwQzlnPJn8769nKnLyXzcov8gHZ/oAMgZW8cml1jJe3f3dKreKM+Ts7Sheoda3
d4k0s9AzAEfXZj8O6V8sIhzTpZXbcItYU9Jp/PAByPiMauB66sb1r2fV7gULht6S
49M0WsATje0k7FPbnVu7H3hPqzjUCfeU/s0crTlZuJjfj9OY6zDX49RwUt00Pgl7
Elusu8yWWTaOyVcHH8M6PQFZkEAtx68mOFiBDdVSlRQ7EjSbEbde02gsYFbfi/Tq
7qj2aGaQVUJ42y95r95sjgM1/AY4hB8KWtxO/dRrw7I9skQeTBNNiAsZh4OOAO/4
1ltIFJN42aeRnrrV03MjPSFeilxLURdY/qqw341uUiKh1+LYTr+cQ04jmLI219AM
QjL1DKN+nf9zwVtx+9Y0
=Hou6
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 50c7e9d..f485708 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+libplack-perl (0.9989-1+deb7u1) UNRELEASED; urgency=medium
+
+  * Include bc1731d from 1.0031 release to fix CVE-2014-5269.
+    Plack::App::File would previously strip trailing slashes off provided
+    paths. This could under specific circumstances lead to the unintended
+    delivery of files. For details see the pull request message preserved
+    in debian/patches/01-fix-CVE-2014-5269.patch.
+
+ -- gregor herrmann <gre...@debian.org>  Wed, 08 Oct 2014 23:01:55 +0200
+
 libplack-perl (0.9989-1) unstable; urgency=low
 
   * New upstream release
diff --git a/debian/patches/01-fix-CVE-2014-5269.patch b/debian/patches/01-fix-CVE-2014-5269.patch
new file mode 100644
index 0000000..9209e8b
--- /dev/null
+++ b/debian/patches/01-fix-CVE-2014-5269.patch
@@ -0,0 +1,130 @@
+From b46ccc15188d979eb062582d53de68a7a9ddeab2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?=
+ <ava...@gmail.com>
+Date: Fri, 7 Feb 2014 10:13:45 +0000
+Subject: [PATCH] Plack::App::File: Fix a security issue by not pruning
+ trailing slashes
+
+Before this Plack::App::File would prune trailing slashes via its split
+invocation. I.e. it would think this:
+
+    $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt
+    $VAR1 = [
+              'a',
+              'file.txt'
+            ];
+
+Was the same as:
+
+    $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt///
+    $VAR1 = [
+              'a',
+              'file.txt'
+            ];
+
+This can. turn into a nasty code exposure issue if you e.g. have an app
+that basically does this:
+
+    1. I'd do a regex /.txt.pl\z/ on a file to see if it was a text file
+    2. If so, do magic to generate text file via perl
+    3. Else it's not a /.txt.pl\z/ file, so it must be some other static
+       file with a different extension
+    4. Serve it up with Plack::Middleware::Static
+
+This is also not how other webservers or Unix utilities work:
+
+    $ touch /tmp/foo.txt
+    $ file /tmp/foo.txt
+    /tmp/foo.txt: empty
+    $ file /tmp/foo.txt/
+    /tmp/foo.txt/: ERROR: cannot open `/tmp/foo.txt/' (Not a directory)
+
+This resolves issue #405 that I filed around 9 months ago. I was
+previously working around it in my own code by doing:
+
+    {
+        # Let's see if someone's trying to be evil by
+        # requesting e.g. /index.html/ instead of
+        # /index.html. We don't want to fall through
+        # and just serve up the raw content.
+        my $plack_app_file = Plack::App::File->new({ root => PLACK_WEBSERVER_DOCUMENT_ROOT() });
+        my ($file) = $plack_app_file->locate_file($env);
+        if (
+            # We'll get a reference if it's a full
+            # Plack response. I.e. a 404 or whatever.
+            ref $file ne 'ARRAY'
+            and
+            # WTF once we canonicalize the file and it
+            # looks like a Mason handled path let's
+            # not accept it, because we don't want to
+            # serve up the raw unprocessed Mason page
+            # via this hack.
+            $file =~ $mason_handles_this_path_rx
+        ) {
+            TELL "Middleware::Static: Path <$path> request, doesn't match <$mason_handles_this_path_rx>, but actually resolves to it via resolved file <$file>" if DEBUG;
+            # Tells our app to just serve up a
+            # 400. Apache would do a 404 but I think
+            # these requests are bad, so say so.
+            $env->{$magic_marker_to_return_400} = 1;
+            return;
+        }
+    }
+
+---
+ lib/Plack/App/File.pm     |  2 +-
+ t/Plack-Middleware/file.t | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Plack/App/File.pm b/lib/Plack/App/File.pm
+index b437237..f524351 100644
+--- a/lib/Plack/App/File.pm
++++ b/lib/Plack/App/File.pm
+@@ -44,7 +44,7 @@ sub locate_file {
+     }
+ 
+     my $docroot = $self->root || ".";
+-    my @path = split '/', $path;
++    my @path = split /[\\\/]/, $path, -1; # -1 *MUST* be here to avoid security issues!
+     if (@path) {
+         shift @path if $path[0] eq '';
+     } else {
+diff --git a/t/Plack-Middleware/file.t b/t/Plack-Middleware/file.t
+index 41753fa..0f2ec0b 100644
+--- a/t/Plack-Middleware/file.t
++++ b/t/Plack-Middleware/file.t
+@@ -3,6 +3,7 @@ use Plack::Test;
+ use Test::More;
+ use HTTP::Request::Common;
+ use Plack::App::File;
++use FindBin qw($Bin);
+ 
+ my $app = Plack::App::File->new(file => 'README');
+ 
+@@ -35,6 +36,24 @@ test_psgi $app_content_type, sub {
+     is $res->code, 200;
+ };
+ 
++my $app_secure = Plack::App::File->new(root => $Bin);
+ 
++test_psgi $app_secure, sub {
++    my $cb = shift;
++
++    my $res = $cb->(GET "/file.t");
++    is $res->code, 200;
++    like $res->content, qr/We will find for this literal string/;
++
++    my $res = $cb->(GET "/../Plack-Middleware/file.t");
++    is $res->code, 403;
++    is $res->content, 'forbidden';
++
++    for my $i (1..100) {
++        $res = $cb->(GET "/file.t" . ("/" x $i));
++        is $res->code, 404;
++        is $res->content, 'not found';
++    }
++};
+ 
+ done_testing;
+-- 
+2.1.1
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..694081c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+01-fix-CVE-2014-5269.patch

Reply via email to