Re: [UPDATE] CVE-2017-16248: www/p5-Catalyst-Plugin-Static-Simple

[Andrew Hewus Fresh]

On Mon, Dec 17, 2018 at 03:21:27AM +0100, Charlene Wendling wrote:
> Hi, 
> 
> I'm adding the quirks info as well. Can someone check this out please? 

OK afresh1@, although I don't have a firm enough grasp on Quirks to know
for sure this is right.

I also don't know whether it should be backported to -stable.


> 
> Charlène. 
> 
> 
> Index: devel/quirks/Makefile
> ===================================================================
> RCS file: /cvs/ports/devel/quirks/Makefile,v
> retrieving revision 1.670
> diff -u -p -r1.670 Makefile
> --- devel/quirks/Makefile     17 Dec 2018 01:10:00 -0000      1.670
> +++ devel/quirks/Makefile     17 Dec 2018 02:19:49 -0000
> @@ -5,7 +5,7 @@ CATEGORIES =  devel databases
>  DISTFILES =
>  
>  # API.rev
> -PKGNAME =    quirks-3.63
> +PKGNAME =    quirks-3.64
>  PKG_ARCH =   *
>  MAINTAINER = Marc Espie <es...@openbsd.org>
>  
> Index: devel/quirks/files/Quirks.pm
> ===================================================================
> RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
> retrieving revision 1.684
> diff -u -p -r1.684 Quirks.pm
> --- devel/quirks/files/Quirks.pm      17 Dec 2018 01:10:00 -0000      1.684
> +++ devel/quirks/files/Quirks.pm      17 Dec 2018 02:19:49 -0000
> @@ -1282,6 +1282,7 @@ my $cve = {
>       'www/iridium' => 'iridium-<2018.5.67',
>       'www/mozilla-firefox' => 'firefox-<62.0.2p0',
>       'www/nginx' => 'nginx-<1.4.1',
> +     'www/p5-Catalyst-Plugin-Static-Simple' => 
> 'p5-Catalyst-Plugin-Static-Simple-<0.36',
>       'www/p5-CGI-Application' => 'p5-CGI-Application-<4.50p0',
>       'www/py-requests' => 'py-requests-<2.20.0',
>       'www/py-requests,python3' => 'py3-requests-<2.20.0',
> Index: www/p5-Catalyst-Plugin-Static-Simple/Makefile
> ===================================================================
> RCS file: /cvs/ports/www/p5-Catalyst-Plugin-Static-Simple/Makefile,v
> retrieving revision 1.15
> diff -u -p -r1.15 Makefile
> --- www/p5-Catalyst-Plugin-Static-Simple/Makefile     20 Mar 2016 19:57:16 
> -0000      1.15
> +++ www/p5-Catalyst-Plugin-Static-Simple/Makefile     17 Dec 2018 02:19:49 
> -0000
> @@ -4,8 +4,7 @@ COMMENT=      serving static pages with cata
>  
>  MODULES=     cpan
>  PKG_ARCH=    *
> -DISTNAME=    Catalyst-Plugin-Static-Simple-0.29
> -REVISION=    1
> +DISTNAME=    Catalyst-Plugin-Static-Simple-0.36
>  CATEGORIES=  www
>  
>  # Perl
> @@ -15,9 +14,9 @@ RUN_DEPENDS=        devel/p5-Moose \
>               devel/p5-MooseX-Types \
>               devel/p5-namespace-autoclean \
>               www/p5-Catalyst-Runtime>=5.80008 \
> -             mail/p5-MIME-Types>=1.25
> +             mail/p5-MIME-Types>=2.03
>  BUILD_DEPENDS=       ${RUN_DEPENDS}
> -TEST_DEPENDS=www/p5-Catalyst-Plugin-SubRequest>=0.15
> +TEST_DEPENDS=        www/p5-Catalyst-Plugin-SubRequest>=0.15
>  
>  MAKE_ENV=    TEST_POD=Yes
>  
> Index: www/p5-Catalyst-Plugin-Static-Simple/distinfo
> ===================================================================
> RCS file: /cvs/ports/www/p5-Catalyst-Plugin-Static-Simple/distinfo,v
> retrieving revision 1.7
> diff -u -p -r1.7 distinfo
> --- www/p5-Catalyst-Plugin-Static-Simple/distinfo     18 Jan 2015 03:15:43 
> -0000      1.7
> +++ www/p5-Catalyst-Plugin-Static-Simple/distinfo     17 Dec 2018 02:19:49 
> -0000
> @@ -1,2 +1,2 @@
> -SHA256 (Catalyst-Plugin-Static-Simple-0.29.tar.gz) = 
> JLCNF2upuiQM6rLZiUalW76SlVp08UT/71LPR4QKUPI=
> -SIZE (Catalyst-Plugin-Static-Simple-0.29.tar.gz) = 36471
> +SHA256 (Catalyst-Plugin-Static-Simple-0.36.tar.gz) = 
> Nrczj5a+9PJoX3pFVbFRl5Oud4O9PW0iyX87cY8wlFQ=
> +SIZE (Catalyst-Plugin-Static-Simple-0.36.tar.gz) = 44538
> 
> 
> 
> 
> On Fri, 7 Dec 2018 20:11:14 +0100
> Charlene Wendling wrote:
> 
> > Hi ports, 
> > 
> > I'm proposing here an update for www/p5-Catalyst-Plugin-Static-Simple,
> > from 0.29 to 0.36, that also fixes CVE-2017-16248 [1] (directory
> > traversal) by the way.
> > 
> > What's new upstream (full changelog there [2]):
> > 
> > - Fix installation for Perl 5.26+
> > - Relax/fix some tests
> > - Change configuration key to 'Plugin::Static::Simple', using the old
> >   'static' will issue a warning 
> > 
> > What's new in the port: 
> > 
> > - mail/p5-MIME-Types version requirement bumped
> > - Tiny spacing fix as well
> > 
> > Testing: 
> > 
> > - 'make test' passes
> > - There are 2 consumers, that i've tested [3]: 
> >     - www/p5-Catalyst-Devel is fine.
> >     - devel/catalyst-tutorial has one error, caused by (a probably
> >       way too old) www/p5-HTML-FormFu 
> > 
> > Any comments/feedback is welcome! 
> > 
> > Charlène. 
> > 
> > [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16248
> > [2]
> > https://metacpan.org/changes/release/ILMARI/Catalyst-Plugin-Static-Simple-0.36
> > [3] https://transfer.sh/5aESu/p5-Catalyst-Plugin-Static-Simple.tgz
> 

-- 
andrew - http://afresh1.com

At the source of every error which is blamed on the computer, you
will find at least two human errors, including the error of blaming
it on the computer.