Debian Bug report logs - #622952
libmojolicious-perl: Path security vulnerability

version graph

Package: src:libmojolicious-perl; Maintainer for src:libmojolicious-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 16 Apr 2011 06:12:01 UTC

Severity: grave

Tags: security

Found in version libmojolicious-perl/0.999926-1

Fixed in versions libmojolicious-perl/1.16-1, libmojolicious-perl/0.999926-1+squeeze1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622952; Package src:libmojolicious-perl. (Sat, 16 Apr 2011 06:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 16 Apr 2011 06:12:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmojolicious-perl: Path security vulnerability
Date: Sat, 16 Apr 2011 08:08:59 +0200
Source: libmojolicious-perl
Version: 0.999926-1
Severity: grave
Tags: security
Justification: user security hole

Hi

A path security vulnerability was reported upstream for
libmojolicious-perl.

 [1] https://github.com/kraih/mojo/issues/114
 [2] http://cpansearch.perl.org/src/KRAIH/Mojolicious-1.16/Changes
 [3] http://perlninja.posterous.com/sharks-in-the-water

Bests
Salvatore

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622952; Package src:libmojolicious-perl. (Sat, 16 Apr 2011 06:18:03 GMT) Full text and rfc822 format available.

Message #8 received at 622952@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 622952@bugs.debian.org, 622952-submitter@bugs.debian.org
Subject: Bug in libmojolicious-perl fixed in revision 72653
Date: Sat, 16 Apr 2011 06:15:25 +0000
tag 622952 + pending
thanks

Some bugs are closed in revision 72653
by Salvatore Bonaccorso (carnil)

Commit message:

* Team upload.
* New upstream release.
  + Fix path security vulnerablility (Closes: #622952).




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Sat, 16 Apr 2011 06:18:06 GMT) Full text and rfc822 format available.

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#622952. (Sat, 16 Apr 2011 06:18:09 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 16 Apr 2011 06:51:11 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 16 Apr 2011 06:51:11 GMT) Full text and rfc822 format available.

Message #18 received at 622952-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 622952-close@bugs.debian.org
Subject: Bug#622952: fixed in libmojolicious-perl 1.16-1
Date: Sat, 16 Apr 2011 06:47:57 +0000
Source: libmojolicious-perl
Source-Version: 1.16-1

We believe that the bug you reported is fixed in the latest version of
libmojolicious-perl, which is due to be installed in the Debian FTP archive:

libmojolicious-perl_1.16-1.debian.tar.gz
  to main/libm/libmojolicious-perl/libmojolicious-perl_1.16-1.debian.tar.gz
libmojolicious-perl_1.16-1.dsc
  to main/libm/libmojolicious-perl/libmojolicious-perl_1.16-1.dsc
libmojolicious-perl_1.16-1_all.deb
  to main/libm/libmojolicious-perl/libmojolicious-perl_1.16-1_all.deb
libmojolicious-perl_1.16.orig.tar.gz
  to main/libm/libmojolicious-perl/libmojolicious-perl_1.16.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622952@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libmojolicious-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 16 Apr 2011 08:19:53 +0200
Source: libmojolicious-perl
Binary: libmojolicious-perl
Architecture: source all
Version: 1.16-1
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libmojolicious-perl - simple, yet powerful, Web Application Framework
Closes: 622952
Changes: 
 libmojolicious-perl (1.16-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream release.
     + Fix path security vulnerablility (Closes: #622952).
   * Bump Standards-Version to 3.9.2.
Checksums-Sha1: 
 746e1bb3a8dda75c0593810444a693c31eab3422 2064 libmojolicious-perl_1.16-1.dsc
 6ee34f7efff0ce66d5596392ef847098f5c1954c 465177 libmojolicious-perl_1.16.orig.tar.gz
 bd7035c8e769ba74877244f7cdc5e0ac23567a61 12983 libmojolicious-perl_1.16-1.debian.tar.gz
 dc6d6e56c5776bb0df4fcc2604e0e0760142d4d7 691700 libmojolicious-perl_1.16-1_all.deb
Checksums-Sha256: 
 d2f196a9521fbda0e54c947c29497566b06087a569eae2afd9537b36ffc6224b 2064 libmojolicious-perl_1.16-1.dsc
 fbc9ab857fd89a99ae1b19c626659039183894f2b57c92fb89e6eb0c40739790 465177 libmojolicious-perl_1.16.orig.tar.gz
 26f6ed366dfed0a2655dc5bd00b1d0707f7ec969b35b5e584deb33af232235cd 12983 libmojolicious-perl_1.16-1.debian.tar.gz
 9ab946888b60601044bc5f6e5c2c9d75db775922e19c37f44769366bad173c7a 691700 libmojolicious-perl_1.16-1_all.deb
Files: 
 ad29f280b7b9e19cce37d27a2a7cf7ee 2064 perl optional libmojolicious-perl_1.16-1.dsc
 280f9eaeb6e90f1c5d565ba8146d3698 465177 perl optional libmojolicious-perl_1.16.orig.tar.gz
 114ac3e4587e7c1bd56a9edcbb840375 12983 perl optional libmojolicious-perl_1.16-1.debian.tar.gz
 9b5557776dce2dcf551cc75f89ebe4dc 691700 perl optional libmojolicious-perl_1.16-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJNqThxAAoJEHidbwV/2GP+1JgQAM8lNR//vuFvdKtPJdEwiwOX
cNihg04sdn+2gtM2pt4GpBCdW8NXPJsUUZ9hV24kNUWyoCMcieIJq+g3T8XH57RW
CPwDXI7/R7B+UKyQAgHB5EDlHOsB67PuhEsE4WNHoU3YTuopvviPQHncX5xk/2i1
LHzMIFkyidO0hJpNSle8PA2ulN86P9rBM229Vyr5i4fB9Zqan9J+Vj8e/tluu3A6
YPYoEXJ0RWxaSd7NqKMB5Dt7TWLubWJBHQvvMayu/xqSERXVvf/jG3GTlDS2ieKJ
6C0IHRK8qskMhSMOa/XMTgSyWWTI5oRCmfSggdpEHS1LFwiW9kUQZ7z6GFNnBL9f
D58iJKijrNmCMbUFuneAoH1FLDqwYOKbfkM98yme8KWfA3+WZ0l41iXUtuHqB5vn
bk+lQQNss2W2goQ6TCATeUVA9vOJKppBZW6KgcMAs21iKjNETL6hxlTaGgE5Xvzw
sYkv2x30o3WsYg1cDzwJBVJ1BXe92bgRNpftbjFhviXubiOvWUYSvYMWiqGhPtBk
QM5vTkbOYkKu7p/dq9GS5vdrb5/7TqVb2FV0tXqeD8MeADdYzuqDeYLWHmdfvxy1
24iUYnM6ixc7oJR4+WvxLw9q60jq+kOXo9NS3+ngHYQ6Ebfcnneydvs1jYDvJ2fo
2A5d7d9BMLfa5hXFphW4
=dOfl
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622952; Package src:libmojolicious-perl. (Sat, 16 Apr 2011 08:24:05 GMT) Full text and rfc822 format available.

Message #21 received at 622952@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 622952@bugs.debian.org, 622952-submitter@bugs.debian.org
Subject: Bug in fixed in revision 72659
Date: Sat, 16 Apr 2011 08:22:10 +0000
tag 622952 + pending
thanks

Some bugs are closed in revision 72659
by Salvatore Bonaccorso (carnil)

Commit message:

# TODO: FTBFS, tests in t/mojox/routes/routes.t
#	#   Failed test at t/mojox/routes/routes.t line 359.
#	#          got: 'http:/www.google.com'
#	#     expected: 'http://www.google.com'
#	# Looks like you failed 1 test of 193.
#	t/mojox/routes/routes.t ....................... 
#	Dubious, test returned 1 (wstat 256, 0x100)
#	Failed 1/193 subtests 
* [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path
traversal security vulnerability (Closes: #622952). 




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Sat, 16 Apr 2011 08:24:07 GMT) Full text and rfc822 format available.

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#622952. (Sat, 16 Apr 2011 08:24:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622952; Package src:libmojolicious-perl. (Sat, 16 Apr 2011 11:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 16 Apr 2011 11:24:04 GMT) Full text and rfc822 format available.

Message #31 received at 622952@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: security@debian.org, 622952@bugs.debian.org
Subject: Prepared update for libmojolicious-perl
Date: Sat, 16 Apr 2011 13:22:17 +0200
[Message part 1 (text/plain, inline)]
Hi Security Team

I have prepared now a preliminary update for libmojolicious-perl, see
attached debdiff. Do you agree with the changes? How to proceed? 

Note, reviewing Changes from version in stable up to the version in
squeeze in Changes are the following:

0.999928 2010-08-15 00:00:00
        - Fixed a security problem with CGI environment detection.
[...]

This is related to upstream commits
b3a1fb453eda447c0bb082cd9eed81bb75a7564a and
aa7c8da54b1ebd4ccb64aa66dede7b7cdb381c44.

And

0.999927 2010-08-15 00:00:00
[...]
        - Fixed a security problem in the HMAC MD5 implementation. (vti)

where I have not yet the relevant git commit.

Would you have them too adressed?

Bests
Salvatore
[debdiff_libmojolicious-perl_0.999926-1_0.999926-1+squeeze1.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 20 Apr 2011 21:03:11 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 20 Apr 2011 21:03:11 GMT) Full text and rfc822 format available.

Message #36 received at 622952-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 622952-close@bugs.debian.org
Subject: Bug#622952: fixed in libmojolicious-perl 0.999926-1+squeeze1
Date: Wed, 20 Apr 2011 21:02:19 +0000
Source: libmojolicious-perl
Source-Version: 0.999926-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libmojolicious-perl, which is due to be installed in the Debian FTP archive:

libmojolicious-perl_0.999926-1+squeeze1.debian.tar.gz
  to main/libm/libmojolicious-perl/libmojolicious-perl_0.999926-1+squeeze1.debian.tar.gz
libmojolicious-perl_0.999926-1+squeeze1.dsc
  to main/libm/libmojolicious-perl/libmojolicious-perl_0.999926-1+squeeze1.dsc
libmojolicious-perl_0.999926-1+squeeze1_all.deb
  to main/libm/libmojolicious-perl/libmojolicious-perl_0.999926-1+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622952@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libmojolicious-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 19 Apr 2011 00:07:54 +0200
Source: libmojolicious-perl
Binary: libmojolicious-perl
Architecture: source all
Version: 0.999926-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libmojolicious-perl - Model-View-Controller Web Application Framework
Closes: 622952
Changes: 
 libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high
 .
   * [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path
     traversal security vulnerability. Fix CVE-2011-1589. (Closes: #622952).
   * Add improve-RFC3986-compliance-of-Mojo-Path.patch backported from
     upstream commit 748ef373291dd342c18a0811f967ea0d88df5368. This
     prevents FTBFS with the applied security patch. Thanks to Ansgar
     Burchardt (ansgar) for suggestion.
Checksums-Sha1: 
 c05898783dda76542b3a36382e9814a5622c9a74 2105 libmojolicious-perl_0.999926-1+squeeze1.dsc
 b5d06f4e6a5afa29c392732e0c5dfc9f6e590375 230633 libmojolicious-perl_0.999926.orig.tar.gz
 46c2cd53a1d1b8fd3f078326d62df1cc33c6b8b8 6634 libmojolicious-perl_0.999926-1+squeeze1.debian.tar.gz
 2531d2ae32d25861e7d7fbf3d1b3886c25075865 445812 libmojolicious-perl_0.999926-1+squeeze1_all.deb
Checksums-Sha256: 
 4c50ae39f65515401cf2b9273e2c18eaec40a8f25368649cada7d84218677ea7 2105 libmojolicious-perl_0.999926-1+squeeze1.dsc
 fed8a2d37493700ab0fe209a269d2fd3c710dce77f18664652157f1f0d1090ae 230633 libmojolicious-perl_0.999926.orig.tar.gz
 13d0256670561b7948b9202dc71a91cdf7c970ec5a9d174297c6c028cde1b36f 6634 libmojolicious-perl_0.999926-1+squeeze1.debian.tar.gz
 585a51afd7dfa4924d29af6f0b68384171b87f62d3a09b61e5fa59d634f3748f 445812 libmojolicious-perl_0.999926-1+squeeze1_all.deb
Files: 
 1874a8e397f8c1a84be69f47912b6d5e 2105 perl optional libmojolicious-perl_0.999926-1+squeeze1.dsc
 ecdbb51f457ef220d675a5f8ac4522ef 230633 perl optional libmojolicious-perl_0.999926.orig.tar.gz
 a30b3bdf11b843d2d3a5128b722a21ac 6634 perl optional libmojolicious-perl_0.999926-1+squeeze1.debian.tar.gz
 9f2b61456cfb32cf2c71b5fc9e6389e6 445812 perl optional libmojolicious-perl_0.999926-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJNrLd9AAoJEHidbwV/2GP+LuAP/3OYRR5G1xiGS3EwVavU0jv3
7KypvDGav6m1N4mSBdL9rsAObmwLoU1h3IWx0Q52U9OmJKYD71xAuKfP42MhdgfN
bprILb3YRTN8xqO4alhqSZF8rOkeMkdQvasquEthle6azR4hb9grT3RYRI5dSjLr
/MQoWmADFP8ITCtWnuxr6PT9ujE/BLsDiumUu0c9SbPFpJn3pWXikW1zw05/KH4+
kjTM6pIM9OftJrHEp0DG00uQjKPGbCeW22dSEVx3weDYoOw27aw8Mb+3luNR4y/Z
IihBlNB8e6AGW9/r1k/UYVVd702A53bAGdSTlhWBZIc8oraYmuZBOqbrcJxivanM
UXDsGPJJKDo312vJGuclJ/6k5rF5iAKpD16UhFa+12uFdZk55iVSW2yfhxJw2KGb
qh7hEi7czRefCGL6wwdYh8WWkcifFds2RPxXb/m1xB7jRhi/6EM/TdqN71X0gI4V
g95zy22zZWaMlarBDH74ylZprN79ckBewQBq7oX+s+gaj3DSz6n2+xeq/GRgOmHb
TTZ4vGkOrpNpV6As5NOg8X1M1EnHQ9DCI54A8YI7FNIyks7HtKyA2sd5bf5zxoup
uvNIsDTvZD+V9aQ9u+Z9B3idQy2BPBaHbkm+Wrdio2ytQ7p/HvPAYOQTVxnGAaKZ
vhcl3kRaktiCypn5pfnS
=7swx
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jun 2011 07:35:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 14:22:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.