On Wed, Jan 13, 2016 at 11:16:55AM +0000, Dominic Hargreaves wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: [email protected] > Usertags: pu > X-Debbugs-Cc: [email protected], [email protected] > > We're working on a fix for #810799 which is a regression in Debian > stable triggered by the recent perl DSA (it will also be triggered by > the point release update in #809561). > > This should be fixed in jessie, and given the timescale, and the fact > that it's not technically a regression in the DSA package, the consensus > seems to be that a point release update is appropriate.
Here's the full debdiff for what I would like to upload. A fixed sid package (4.48-3) in incoming. -- Niko Tyni [email protected]
diff -Nru libcgi-session-perl-4.48/debian/changelog libcgi-session-perl-4.48/debian/changelog --- libcgi-session-perl-4.48/debian/changelog 2013-05-26 19:47:25.000000000 +0300 +++ libcgi-session-perl-4.48/debian/changelog 2016-01-15 17:38:24.000000000 +0200 @@ -1,3 +1,12 @@ +libcgi-session-perl (4.48-1+deb8u1) jessie; urgency=medium + + * Team upload. + * Untaint raw data coming from session storage backends. + + fixes a taint regression caused by CVE-2015-8607 fixes in perl + (Closes: #810799) + + -- Niko Tyni <[email protected]> Fri, 15 Jan 2016 17:37:38 +0200 + libcgi-session-perl (4.48-1) unstable; urgency=low [ Nicholas Bamber ] diff -Nru libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch --- libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch 1970-01-01 02:00:00.000000000 +0200 +++ libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch 2016-01-15 17:35:38.000000000 +0200 @@ -0,0 +1,77 @@ +From ab199c765329638301105fd1884af14992bb1615 Mon Sep 17 00:00:00 2001 +From: Niko Tyni <[email protected]> +Date: Tue, 12 Jan 2016 23:40:53 +0200 +Subject: [PATCH] Untaint raw data coming from session storage backends + +The various storage backends need to be considered trusted, +so data coming out of them should be untainted. + +The _CLAIMED_ID comes from an HTTP cookie and is probably tainted, +but presumably it's OK if it matched some data in the storage. + +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346 +Bug-Debian: https://bugs.debian.org/810799 +--- + lib/CGI/Session.pm | 4 ++++ + t/taint_storage.t | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 38 insertions(+) + create mode 100644 t/taint_storage.t + +diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm +index 2788b04..6460d4d 100644 +--- a/lib/CGI/Session.pm ++++ b/lib/CGI/Session.pm +@@ -724,6 +724,10 @@ sub load { + # Requested session couldn't be retrieved + return $self unless $raw_data; + ++ # untaint; we trust the session backend, ++ # and presumably _CLAIMED_ID too at this point ++ $raw_data =~ /^(.*)$/s and $raw_data = $1; ++ + my $serializer = $self->_serializer(); + $self->{_DATA} = $serializer->thaw($raw_data); + unless ( defined $self->{_DATA} ) { +diff --git a/t/taint_storage.t b/t/taint_storage.t +new file mode 100644 +index 0000000..95f5f1a +--- /dev/null ++++ b/t/taint_storage.t +@@ -0,0 +1,34 @@ ++#!/usr/bin/perl -T ++ ++# https://rt.cpan.org/Public/Bug/Display.html?id=80346 ++ ++use strict; ++use warnings; ++use CGI::Session; ++use Scalar::Util qw(tainted); ++use Test::More tests => 6; ++ ++my $sid; ++ ++my $session = CGI::Session->new( "driver:file;serializer:storable", undef, {Directory=>'t'}); ++ok($session, "new() with file+storable"); ++ ++$session->param('a', 1 ); ++ ++$sid = $session->id; ++ok(!tainted $sid, "sid not tainted after new"); ++ ++$session->flush; ++$session = CGI::Session->load( "driver:file;serializer:storable", $sid, {Directory=>'t'}); ++ ++ok($session, "load() with file+storable"); ++$sid = $session->id; ++ok(!tainted $sid, "sid not tainted after load"); ++ ++is($session->param('a'), 1, "parameter stored"); ++ ++$session->flush; ++ ++ok(1, "survived flush"); ++ ++$session->delete; +-- +2.6.4 + diff -Nru libcgi-session-perl-4.48/debian/patches/series libcgi-session-perl-4.48/debian/patches/series --- libcgi-session-perl-4.48/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ libcgi-session-perl-4.48/debian/patches/series 2016-01-15 17:35:38.000000000 +0200 @@ -0,0 +1 @@ +0001-Untaint-raw-data-coming-from-session-storage-backend.patch
