Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], Debian Perl Group <[email protected]>, gregor herrmann <[email protected]>, Ansgar Burchardt <[email protected]>, Niko Tyni <[email protected]>, Dominic Hargreaves <[email protected]>, [email protected] Control: affects -1 + src:libcgi-simple-perl User: [email protected] Usertags: pu
Hi Stable release managers, [ Reason ] libcgi-simple-perl is affected by CVE-2025-40927, a HTTP response flaw. https://lists.security.metacpan.org/cve-announce/msg/32357435/ It is somehow related to CVE-2010-4410, CVE-2010-4411 and covers mor ecompletely the cases, so the CVE-2010-4411 patch is now superseeded by the new upstrem change. [ Impact ] Users of CGI::Simple will remain vulnerable to CVE-2025-40927. [ Tests ] The new upstream version contains an updated test to cover the additional cases which fail before, and pass afterwards. The additional tests are included as well along with the cerry-picked fix. [ Risks ] Targeted fix with test suite coverage (additional tests). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - Fix for CVE-2025-40927 and drop the superseeded patch for CVE-2010-4411. Regards, Salvatore
diff -Nru libcgi-simple-perl-1.280/debian/changelog libcgi-simple-perl-1.280/debian/changelog --- libcgi-simple-perl-1.280/debian/changelog 2022-10-13 23:56:51.000000000 +0200 +++ libcgi-simple-perl-1.280/debian/changelog 2025-08-29 05:59:56.000000000 +0200 @@ -1,3 +1,12 @@ +libcgi-simple-perl (1.280-2+deb12u1) bookworm; urgency=medium + + * Drop "Port latest header-injection refinement from CGI.pm" patch. + (superseeded by the patch for CVE-2025-40927) + * Sanitize all user-supplied values before inserting into HTTP headers + (CVE-2025-40927) + + -- Salvatore Bonaccorso <[email protected]> Fri, 29 Aug 2025 05:59:56 +0200 + libcgi-simple-perl (1.280-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch --- libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch 2025-08-29 05:59:56.000000000 +0200 @@ -0,0 +1,95 @@ +From: Mohammad Sajid Anwar <[email protected]> +Date: Thu, 28 Aug 2025 20:12:23 +0100 +Subject: - Sanitize all user-supplied values before inserting into HTTP + headers. Thanks Maxim Kosenko for raising the issue with recommended + solution. Thanks breno for the patch. Thanks Stig Palmquist for assiginig + it CVE-2025-40927. +Origin: https://github.com/manwar/CGI--Simple/commit/0c1a2e0b8f24804d33daac686666ac944363a630 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40927 + +--- + Changes | 6 ++++++ + lib/CGI/Simple.pm | 12 +++++++----- + lib/CGI/Simple/Cookie.pm | 2 +- + lib/CGI/Simple/Standard.pm | 2 +- + lib/CGI/Simple/Util.pm | 2 +- + t/120.header-crlf.t | 28 ++++++++++++++++++++-------- + 6 files changed, 36 insertions(+), 16 deletions(-) + +diff --git a/lib/CGI/Simple.pm b/lib/CGI/Simple.pm +index ebf13706f987..5125533dfdb1 100644 +--- a/lib/CGI/Simple.pm ++++ b/lib/CGI/Simple.pm +@@ -998,6 +998,7 @@ sub header { + ); + + my $CRLF = $self->crlf; ++ my $ALL_POSSIBLE_CRLF = qr/(?:\r\n|\n|\015\012)/; + + # CR escaping for values, per RFC 822 + for my $header ( +@@ -1007,11 +1008,12 @@ sub header { + if ( defined $header ) { + # From RFC 822: + # Unfolding is accomplished by regarding CRLF immediately +- # followed by a LWSP-char as equivalent to the LWSP-char. +- $header =~ s/$CRLF(\s)/$1/g; ++ # followed by a LWSP-char as equivalent to the LWSP-char ++ # (defined in the RFC as a space or a horizontal tab). ++ $header =~ s/$ALL_POSSIBLE_CRLF([ \t])/$1/g; + + # All other uses of newlines are invalid input. +- if ( $header =~ m/$CRLF/ ) { ++ if ( $header =~ m/$ALL_POSSIBLE_CRLF/ ) { + # shorten very long values in the diagnostic + $header = substr( $header, 0, 72 ) . '...' + if ( length $header > 72 ); + +diff --git a/t/120.header-crlf.t b/t/120.header-crlf.t +index d6a4dca78c41..7834b77e8022 100644 +--- a/t/120.header-crlf.t ++++ b/t/120.header-crlf.t +@@ -1,5 +1,5 @@ + use strict; +-use Test::More tests => 2; ++use Test::More tests => 9; + use Test::Exception; + use CGI::Simple; + +@@ -7,14 +7,26 @@ my $cgi = CGI::Simple->new; + + my $CRLF = $cgi->crlf; + +-is( $cgi->header( '-Test' => "test$CRLF part" ), +- "Test: test part" ++my %possible_crlf = ( ++ '\n' => "\n", ++ '\r\n' => "\r\n", ++ '\015\012' => "\015\012", ++); ++for my $k (sort keys %possible_crlf) { ++ is( ++ $cgi->header( '-Test' => "test$possible_crlf{$k} part" ), ++ "Test: test part" + . $CRLF + . 'Content-Type: text/html; charset=ISO-8859-1' + . $CRLF +- . $CRLF +-); ++ . $CRLF, ++ "header value with $k + space drops the $k and is valid" ++ ); + +-throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) } +-qr/Invalid header value contains a newline not followed by whitespace: test="test/, +- 'invalid CRLF caught'; ++ throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}$possible_crlf{$k} part" ) } ++ qr/Invalid header value contains a newline not followed by whitespace: test="test/, ++ 'invalid CRLF caught for double ' . $k; ++ throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}part" ) } ++ qr/Invalid header value contains a newline not followed by whitespace: test="test/, ++ "invalid $k caught not followed by whitespace"; ++} +-- +2.51.0 + diff -Nru libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch --- libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch 2022-10-13 23:56:51.000000000 +0200 +++ libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,30 +0,0 @@ -Author: Mark Stosberg <[email protected]> -Origin: http://github.com/markstos/CGI--Simple/commit/daff9ca164a7d88d68b6d4d729331e03e32d00dd -Origin: http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da -Subject: [CVE-2010-4411] Port latest header-injection refinement from CGI.pm - -See also http://www.openwall.com/lists/oss-security/2011/01/04/9 - ---- a/lib/CGI/Simple.pm -+++ b/lib/CGI/Simple.pm -@@ -1011,7 +1011,7 @@ - $header =~ s/$CRLF(\s)/$1/g; - - # All other uses of newlines are invalid input. -- if ( $header =~ m/$CRLF/ ) { -+ if ($header =~ m/$CRLF|\015|\012/) { - # shorten very long values in the diagnostic - $header = substr( $header, 0, 72 ) . '...' - if ( length $header > 72 ); ---- a/t/headers.t -+++ b/t/headers.t -@@ -76,3 +76,9 @@ - 'redirect with leading newlines blows up' - ); - -+{ -+ my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>'); -+ my $out; -+ eval { $out = $cgi->redirect( $cgi->param('t') ) }; -+ like($@,qr/contains a newline/, "redirect does not allow double-newline injection"); -+} diff -Nru libcgi-simple-perl-1.280/debian/patches/series libcgi-simple-perl-1.280/debian/patches/series --- libcgi-simple-perl-1.280/debian/patches/series 2022-10-13 23:56:51.000000000 +0200 +++ libcgi-simple-perl-1.280/debian/patches/series 2025-08-29 05:59:56.000000000 +0200 @@ -1,2 +1,2 @@ -cve-2010-4411.patch no-shellwords-pl.patch +Sanitize-all-user-supplied-values-before-inserting-i.patch
