Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hello Please unblock package libconfig-model-perl This new version fixes 2 security issues: * add patch to remove 'use lib' (CVE-2017-0373) * add patch to remove '.' in @INC emulation (CVE-2017-0374) debian/rules was modified to add '.' in @INC so the tests don't fail. You can find there the 2 patches in a format slightly more readable than the attached debdiff: https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/tree/debian/patches/remove-use-lib?h=debian/2.097-2 https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/tree/debian/patches/remove-inc-dot-emulation?h=debian/2.097-2 Links to the CVEs: https://security-tracker.debian.org/tracker/CVE-2017-0373 https://security-tracker.debian.org/tracker/CVE-2017-0374 Thanks unblock libconfig-model-perl/2.097-2 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru libconfig-model-perl-2.097/debian/changelog libconfig-model-perl-2.097/debian/changelog --- libconfig-model-perl-2.097/debian/changelog 2016-12-22 19:18:27.000000000 +0100 +++ libconfig-model-perl-2.097/debian/changelog 2017-05-14 18:20:55.000000000 +0200 @@ -1,3 +1,12 @@ +libconfig-model-perl (2.097-2) unstable; urgency=medium + + * add patch to remove 'use lib' (CVE-2017-0373) + * add patch to remove '.' in @INC emulation (CVE-2017-0374) + * rules: add '.' in @INC for tests + * package for stretch release only + + -- Dominique Dumont <d...@debian.org> Sun, 14 May 2017 18:20:55 +0200 + libconfig-model-perl (2.097-1) unstable; urgency=medium * New upstream version 2.097 diff -Nru libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation --- libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation 1970-01-01 01:00:00.000000000 +0100 +++ libconfig-model-perl-2.097/debian/patches/remove-inc-dot-emulation 2017-05-14 18:20:55.000000000 +0200 @@ -0,0 +1,47 @@ +Description: Remove inc dot emulation + Using '.' in @INC while loading models and model snippts allows to + run arbitrary code by specially crafted models placed in the current + working directory (as an aftermath of the fixes for the removal of + '.' in @INC in perl). +. + This patch removes the search in '.' and fixes the collateral + damage. Note that tests must be run with PERL5LIB=. variable so model + files can be searched in '.' only during tests. +Bug: https://security-tracker.debian.org/tracker/CVE-2017-0374 +Author: Dominique Dumont <d...@debian.org> +Origin: upstream +Applied-Upstream: v2.102 +--- a/lib/Config/Model.pm ++++ b/lib/Config/Model.pm +@@ -1198,7 +1198,7 @@ + # look for additional model information + my %model_graft_by_name; + my %done; # avoid loading twice the same snippet (where system version may clobber dev version) +- foreach my $inc (@INC,'.') { ++ foreach my $inc (@INC) { + foreach my $name ( keys %models_by_name ) { + my $snippet_path = $name; + $snippet_path =~ s/::/\//g; +@@ -1206,6 +1206,13 @@ + get_logger("Model::Loader")->trace("looking for snippet in $snippet_dir"); + if ( -d $snippet_dir ) { + foreach my $snippet_file ( glob("$snippet_dir/*.pl") ) { ++ ++ # $snippet_file is constructed from @INC content ++ # (i.e. $inc). Since _load_model_in_hash uses 'do' ++ # (which searches in @INC), the file path passed ++ # to _load_model_in_hash must be relative to $inc. ++ $snippet_file = substr $snippet_file, length($inc) + 1; ++ + my $done_key = $name . ':' . $snippet_file; + next if $done{$done_key}; + get_logger("Model::Loader")->info("Found snippet $snippet_file"); +@@ -1260,7 +1267,7 @@ + get_logger("Model::Loader")->info("load model $load_file"); + + my $err_msg = ''; +- $load_file = "./$load_file" if $load_file !~ m!^/! and -e $load_file ; ++ # do searches @INC if the file path is not absolute + my $model = do $load_file; + + unless ($model) { diff -Nru libconfig-model-perl-2.097/debian/patches/remove-use-lib libconfig-model-perl-2.097/debian/patches/remove-use-lib --- libconfig-model-perl-2.097/debian/patches/remove-use-lib 1970-01-01 01:00:00.000000000 +0100 +++ libconfig-model-perl-2.097/debian/patches/remove-use-lib 2017-05-14 18:20:55.000000000 +0200 @@ -0,0 +1,16 @@ +Description: Remove use lib from GenClassPod.pm + genclasspod: remove use lib, not needed and causes a security hole when using cme on untrusted Debian package files +Bug: https://security-tracker.debian.org/tracker/CVE-2017-0373 +Author: Dominique Dumont <d...@debian.org> +Origin: upstream +Applied-Upstream: v 2.102 +--- a/lib/Config/Model/Utils/GenClassPod.pm ++++ b/lib/Config/Model/Utils/GenClassPod.pm +@@ -17,7 +17,6 @@ + use parent qw(Exporter); + our @EXPORT = qw(gen_class_pod); + +-use lib qw/lib/; + use Path::Tiny ; + use Config::Model ; # to generate doc + diff -Nru libconfig-model-perl-2.097/debian/patches/series libconfig-model-perl-2.097/debian/patches/series --- libconfig-model-perl-2.097/debian/patches/series 2016-12-22 19:18:27.000000000 +0100 +++ libconfig-model-perl-2.097/debian/patches/series 2017-05-14 18:20:55.000000000 +0200 @@ -1,2 +1,4 @@ #fix-cryptic-message fix-debci +remove-use-lib +remove-inc-dot-emulation diff -Nru libconfig-model-perl-2.097/debian/rules libconfig-model-perl-2.097/debian/rules --- libconfig-model-perl-2.097/debian/rules 2016-12-22 19:18:27.000000000 +0100 +++ libconfig-model-perl-2.097/debian/rules 2017-05-14 18:20:55.000000000 +0200 @@ -11,4 +11,4 @@ override_dh_auto_test: mkdir -p $(BUILDHOME) - HOME=$(BUILDHOME) dh_auto_test + PERL5LIB=. HOME=$(BUILDHOME) dh_auto_test
