Your message dated Fri, 15 Jan 2016 21:47:07 +0000
with message-id <[email protected]>
and subject line Bug#810799: fixed in libcgi-session-perl 4.48-1+deb8u1
has caused the Debian Bug report #810799,
regarding libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in
CGI::Session::Driver::file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
810799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810799
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libcgi-session-perl
Version: 4.48-1
Severity: important
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346
Dear Maintainer,
With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
installation of TWiki (http://twiki.org/) no longer functions. This
happens due to CGI::Session::Driver::file complaining about taint.
The bug was reported in the CPAN RT in 2012:
https://rt.cpan.org/Public/Bug/Display.html?id=80346
The test case included in the bug trivially reproduces the issue.
I independently came up with the following patch to temporarily hack
around the problem for our installation:
--- /usr/share/perl5/CGI/Session/Driver/file.pm.orig 2016-01-12
11:47:36.333006417 +0000
+++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-12 11:48:52.933062394
+0000
@@ -52,7 +52,9 @@
return $self->set_error( "_file(): Session ids cannot contain \\ or /
chars: $sid" );
}
- return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid ));
+ my $file = File::Spec->catfile($self->{Directory}, sprintf( $FileName,
$sid ));
+ my $file_ = $file =~ m/(.*)/i; # hack to remove taint
+ return $file_;
}
sub retrieve {
Regards,
Chris
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libcgi-session-perl depends on:
ii perl 5.20.2-3+deb8u2
Versions of packages libcgi-session-perl recommends:
ii libdbi-perl 1.631-3+b1
libcgi-session-perl suggests no packages.
-- no debconf information
-- debsums errors found:
debsums: changed file /usr/share/perl5/CGI/Session/Driver/file.pm (from
libcgi-session-perl package)
--
Chris Boot
Tiger Computing Ltd
IS27001:2013 Certified
Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk
Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
Wyastone Leys, Monmouth, NP25 3SR
--- End Message ---
--- Begin Message ---
Source: libcgi-session-perl
Source-Version: 4.48-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
libcgi-session-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated libcgi-session-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Jan 2016 17:37:38 +0200
Source: libcgi-session-perl
Binary: libcgi-session-perl
Architecture: source all
Version: 4.48-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Description:
libcgi-session-perl - persistent session data in CGI applications
Closes: 810799
Changes:
libcgi-session-perl (4.48-1+deb8u1) jessie; urgency=medium
.
* Team upload.
* Untaint raw data coming from session storage backends.
+ fixes a taint regression caused by CVE-2015-8607 fixes in perl
(Closes: #810799)
Checksums-Sha1:
dd9f83880c6e00799d0227ab97f0a53d9f4e3e56 2310
libcgi-session-perl_4.48-1+deb8u1.dsc
3f414fda9db1f6709c2138f88eabfb006ac07959 5212
libcgi-session-perl_4.48-1+deb8u1.debian.tar.xz
416fa42341118941ded98b8bac1724b99c06662e 118682
libcgi-session-perl_4.48-1+deb8u1_all.deb
Checksums-Sha256:
89a831bc5ee51ed2efa734c0424e38b99a53fcccddebfa0c75cdbcc06de5e8db 2310
libcgi-session-perl_4.48-1+deb8u1.dsc
0fd7899549ba370648c84daf47a9c9c9db027503a2b649be206bb03540a06078 5212
libcgi-session-perl_4.48-1+deb8u1.debian.tar.xz
7620fec43861ee6aff8c4ce9614438738a3142dfe0a501f9d26ae0658f2aeb6d 118682
libcgi-session-perl_4.48-1+deb8u1_all.deb
Files:
e8763ea03d0ee8263025f2fa212ef1f4 2310 perl optional
libcgi-session-perl_4.48-1+deb8u1.dsc
fe371a64c0d220a676692b98af27e014 5212 perl optional
libcgi-session-perl_4.48-1+deb8u1.debian.tar.xz
ed1fc424632fca5164cda489517ecb89 118682 perl optional
libcgi-session-perl_4.48-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWmRQEAAoJEC7A/7O3MBsfS8sP/jNEBmo7hVWLjzXGHfCEGSzd
TUKWO9+nVBxESs64j4gBVGuAAK56AL8U55CYWmHxUGhY6vFS7orp3vrxbNtwvAvU
xJsRYtj/zZk/2erwHMXiHFFGAU3ItqzNfD4Rper8LwllsvWy8vdY1EXaMTYW0qA0
hkxuVPeXYzFNq0FAfGbksxPTcXce0GmxKm/j7btVsgedPcGbSGlSPxhwbdM2QSiX
IExK3y9au5UNKkTYXYgmh0Lyt5SSBoiMvn65ZZ4B6ZkMVywchmBjM8B+ysIqvedy
zB908tt7SX/Yf9zbuaXzT+krT5yBgT7MJIYZHD7ELMTHsy+CEkqEZhSq3X4pAg/6
EP1WAdLuiTsjG3D9+N6mYaTrCV2OSTLnxrzwGMDoMEQrIUBEie+QjaI9cPvfqK2k
jPjzbORIWMJSyLFy3u5pEW8MhsvlFj4cpDfkMxYgTBCYf03SSCfelp38L5c3CrQw
nj3jn7EYYi790khxso9NJlH9tKi8FVKUbSlUcXo6SzJYwnvrvT1AExW8187FQhAo
U7+aqUyeYc70vLKcVoY+dP1dvQJMrlHAzRkKNVFlMyfC3nmeDhRqVgZdQrB68gPj
H7y9zelIS6Bj7bBa8fnUb/4vcRzGdrNUWnq7E8WCS95drOfbpQtnm2pHUK8OesOH
/9yYiMLdXphy2992JeIS
=4mF8
-----END PGP SIGNATURE-----
--- End Message ---
