--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], Debian Perl Group
<[email protected]>, gregor herrmann
<[email protected]>, Ansgar Burchardt <[email protected]>, Niko Tyni
<[email protected]>, Dominic Hargreaves <[email protected]>, [email protected]
Control: affects -1 + src:libcgi-simple-perl
User: [email protected]
Usertags: pu
Hi Stable release managers,
[ Reason ]
libcgi-simple-perl is affected by CVE-2025-40927, a HTTP response
flaw.
https://lists.security.metacpan.org/cve-announce/msg/32357435/
It is somehow related to CVE-2010-4410, CVE-2010-4411 and covers mor
ecompletely the cases, so the CVE-2010-4411 patch is now superseeded
by the new upstrem change.
[ Impact ]
Users of CGI::Simple will remain vulnerable to CVE-2025-40927.
[ Tests ]
The new upstream version contains an updated test to cover the
additional cases which fail before, and pass afterwards.
(What automated or manual tests cover the affected code?)
[ Risks ]
Targeted fix with test suite coverage (additional tests).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Fix for CVE-2025-40927 and drop the superseeded patch for
CVE-2010-4411.
[ Other info ]
I decided to make the upload for trixie a rebuild of the unstable one,
so did not do any additional packaging changes in unstable. The new
upstream version contains only the fix for CVE-2025-40927 on top.
Regards,
Salvatore
diff -Nru libcgi-simple-perl-1.281/Changes libcgi-simple-perl-1.282/Changes
--- libcgi-simple-perl-1.281/Changes 2024-01-31 15:16:26.000000000 +0100
+++ libcgi-simple-perl-1.282/Changes 2025-08-28 21:10:33.000000000 +0200
@@ -1,5 +1,11 @@
Revision history for Perl extension CGI::Simple.
+1.282 2025-08-28 MANWAR
+ - Sanitize all user-supplied values before inserting into HTTP headers.
+ Thanks Maxim Kosenko for raising the issue with recommended solution.
+ Thanks breno for the patch.
+ Thanks Stig Palmquist for assiginig it CVE-2025-40927.
+
1.281 2024-01-31 MANWAR
- RT-151161 Add CGI::Cookie partitioned support, PR #14, thanks
@ldevantier-doseme.
diff -Nru libcgi-simple-perl-1.281/MANIFEST libcgi-simple-perl-1.282/MANIFEST
--- libcgi-simple-perl-1.281/MANIFEST 2024-01-31 15:17:15.000000000 +0100
+++ libcgi-simple-perl-1.282/MANIFEST 2025-08-28 21:11:51.000000000 +0200
@@ -5,7 +5,7 @@
lib/CGI/Simple/Standard.pm
lib/CGI/Simple/Util.pm
Makefile.PL
-MANIFEST This list of files
+MANIFEST This list of files
README
t/000.load.t
t/020.cookie.t
diff -Nru libcgi-simple-perl-1.281/META.json libcgi-simple-perl-1.282/META.json
--- libcgi-simple-perl-1.281/META.json 2024-01-31 15:17:15.000000000 +0100
+++ libcgi-simple-perl-1.282/META.json 2025-08-28 21:11:51.000000000 +0200
@@ -4,7 +4,7 @@
"Andy Armstrong <[email protected]>"
],
"dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter
version 2.150010",
+ "generated_by" : "ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter
version 2.150010",
"license" : [
"perl_5"
],
@@ -48,6 +48,6 @@
"x_license" : "http://dev.perl.org/licenses/";
}
},
- "version" : "1.281",
- "x_serialization_backend" : "JSON::PP version 4.02"
+ "version" : "1.282",
+ "x_serialization_backend" : "JSON::PP version 4.16"
}
diff -Nru libcgi-simple-perl-1.281/META.yml libcgi-simple-perl-1.282/META.yml
--- libcgi-simple-perl-1.281/META.yml 2024-01-31 15:17:13.000000000 +0100
+++ libcgi-simple-perl-1.282/META.yml 2025-08-28 21:11:51.000000000 +0200
@@ -11,7 +11,7 @@
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version
2.150010'
+generated_by: 'ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version
2.150010'
license: perl
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
@@ -23,5 +23,5 @@
- inc
resources:
repository: http://github.com/manwar/CGI--Simple.git
-version: '1.281'
+version: '1.282'
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff -Nru libcgi-simple-perl-1.281/debian/changelog
libcgi-simple-perl-1.282/debian/changelog
--- libcgi-simple-perl-1.281/debian/changelog 2024-02-04 03:13:47.000000000
+0100
+++ libcgi-simple-perl-1.282/debian/changelog 2025-08-29 05:42:29.000000000
+0200
@@ -1,3 +1,19 @@
+libcgi-simple-perl (1.282-1~deb13u1) trixie; urgency=medium
+
+ * Rebuild for trixie
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 29 Aug 2025 05:42:29 +0200
+
+libcgi-simple-perl (1.282-1) unstable; urgency=medium
+
+ * Team upload.
+ * Import upstream version 1.282.
+ - Sanitize all user-supplied values before inserting into HTTP headers
+ (CVE-2025-40927)
+ * Drop "Port latest header-injection refinement from CGI.pm"
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 29 Aug 2025 05:26:27 +0200
+
libcgi-simple-perl (1.281-1) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru libcgi-simple-perl-1.281/debian/patches/cve-2010-4411.patch
libcgi-simple-perl-1.282/debian/patches/cve-2010-4411.patch
--- libcgi-simple-perl-1.281/debian/patches/cve-2010-4411.patch 2024-02-04
03:13:47.000000000 +0100
+++ libcgi-simple-perl-1.282/debian/patches/cve-2010-4411.patch 1970-01-01
01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-Author: Mark Stosberg <[email protected]>
-Origin:
http://github.com/markstos/CGI--Simple/commit/daff9ca164a7d88d68b6d4d729331e03e32d00dd
-Origin:
http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da
-Subject: [CVE-2010-4411] Port latest header-injection refinement from CGI.pm
-
-See also http://www.openwall.com/lists/oss-security/2011/01/04/9
-
---- a/lib/CGI/Simple.pm
-+++ b/lib/CGI/Simple.pm
-@@ -1011,7 +1011,7 @@
- $header =~ s/$CRLF(\s)/$1/g;
-
- # All other uses of newlines are invalid input.
-- if ( $header =~ m/$CRLF/ ) {
-+ if ($header =~ m/$CRLF|\015|\012/) {
- # shorten very long values in the diagnostic
- $header = substr( $header, 0, 72 ) . '...'
- if ( length $header > 72 );
---- a/t/headers.t
-+++ b/t/headers.t
-@@ -76,3 +76,9 @@
- 'redirect with leading newlines blows up'
- );
-
-+{
-+ my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>');
-+ my $out;
-+ eval { $out = $cgi->redirect( $cgi->param('t') ) };
-+ like($@,qr/contains a newline/, "redirect does not allow double-newline
injection");
-+}
diff -Nru libcgi-simple-perl-1.281/debian/patches/series
libcgi-simple-perl-1.282/debian/patches/series
--- libcgi-simple-perl-1.281/debian/patches/series 2024-02-04
03:13:47.000000000 +0100
+++ libcgi-simple-perl-1.282/debian/patches/series 2025-08-29
05:42:29.000000000 +0200
@@ -1,2 +1 @@
-cve-2010-4411.patch
no-shellwords-pl.patch
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple/Cookie.pm
libcgi-simple-perl-1.282/lib/CGI/Simple/Cookie.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple/Cookie.pm 2024-01-31
15:12:53.000000000 +0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple/Cookie.pm 2025-08-28
21:03:30.000000000 +0200
@@ -13,7 +13,7 @@
use strict;
use warnings;
use vars '$VERSION';
-$VERSION = '1.281';
+$VERSION = '1.282';
use CGI::Simple::Util qw(rearrange unescape escape);
use overload '""' => \&as_string, 'cmp' => \&compare, 'fallback' => 1;
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple/Standard.pm
libcgi-simple-perl-1.282/lib/CGI/Simple/Standard.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple/Standard.pm 2024-01-31
15:12:53.000000000 +0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple/Standard.pm 2025-08-28
21:03:30.000000000 +0200
@@ -8,7 +8,7 @@
$NO_UNDEF_PARAMS $USE_PARAM_SEMICOLONS $HEADERS_ONCE
$NPH $DEBUG $NO_NULL $FATAL *in %EXPORT_TAGS $AUTOLOAD );
-$VERSION = "1.281";
+$VERSION = "1.282";
%EXPORT_TAGS = (
':html' => [qw(:misc)],
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple/Util.pm
libcgi-simple-perl-1.282/lib/CGI/Simple/Util.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple/Util.pm 2024-01-31
15:12:53.000000000 +0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple/Util.pm 2025-08-28
21:03:30.000000000 +0200
@@ -2,7 +2,7 @@
use strict;
use warnings;
use vars qw( $VERSION @EXPORT_OK @ISA $UTIL );
-$VERSION = '1.281';
+$VERSION = '1.282';
require Exporter;
@ISA = qw( Exporter );
@EXPORT_OK = qw(
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple.pm
libcgi-simple-perl-1.282/lib/CGI/Simple.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple.pm 2024-01-31 15:12:53.000000000
+0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple.pm 2025-08-28 21:03:30.000000000
+0200
@@ -13,7 +13,7 @@
$NO_UNDEF_PARAMS, $USE_PARAM_SEMICOLONS, $PARAM_UTF8, $HEADERS_ONCE,
$NPH, $DEBUG, $NO_NULL, $FATAL);
-$VERSION = "1.281";
+$VERSION = "1.282";
# you can hard code the global variable settings here if you want.
# warning - do not delete the unless defined $VAR part unless you
@@ -998,6 +998,7 @@
);
my $CRLF = $self->crlf;
+ my $ALL_POSSIBLE_CRLF = qr/(?:\r\n|\n|\015\012)/;
# CR escaping for values, per RFC 822
for my $header (
@@ -1007,11 +1008,12 @@
if ( defined $header ) {
# From RFC 822:
# Unfolding is accomplished by regarding CRLF immediately
- # followed by a LWSP-char as equivalent to the LWSP-char.
- $header =~ s/$CRLF(\s)/$1/g;
+ # followed by a LWSP-char as equivalent to the LWSP-char
+ # (defined in the RFC as a space or a horizontal tab).
+ $header =~ s/$ALL_POSSIBLE_CRLF([ \t])/$1/g;
# All other uses of newlines are invalid input.
- if ( $header =~ m/$CRLF/ ) {
+ if ( $header =~ m/$ALL_POSSIBLE_CRLF/ ) {
# shorten very long values in the diagnostic
$header = substr( $header, 0, 72 ) . '...'
if ( length $header > 72 );
@@ -1491,7 +1493,7 @@
=head1 VERSION
-This document describes CGI::Simple version 1.281.
+This document describes CGI::Simple version 1.282.
=head1 SYNOPSIS
diff -Nru libcgi-simple-perl-1.281/t/120.header-crlf.t
libcgi-simple-perl-1.282/t/120.header-crlf.t
--- libcgi-simple-perl-1.281/t/120.header-crlf.t 2022-01-02
18:51:35.000000000 +0100
+++ libcgi-simple-perl-1.282/t/120.header-crlf.t 2025-08-28
21:02:40.000000000 +0200
@@ -1,5 +1,5 @@
use strict;
-use Test::More tests => 2;
+use Test::More tests => 9;
use Test::Exception;
use CGI::Simple;
@@ -7,14 +7,26 @@
my $CRLF = $cgi->crlf;
-is( $cgi->header( '-Test' => "test$CRLF part" ),
- "Test: test part"
+my %possible_crlf = (
+ '\n' => "\n",
+ '\r\n' => "\r\n",
+ '\015\012' => "\015\012",
+);
+for my $k (sort keys %possible_crlf) {
+ is(
+ $cgi->header( '-Test' => "test$possible_crlf{$k} part" ),
+ "Test: test part"
. $CRLF
. 'Content-Type: text/html; charset=ISO-8859-1'
. $CRLF
- . $CRLF
-);
+ . $CRLF,
+ "header value with $k + space drops the $k and is valid"
+ );
-throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
-qr/Invalid header value contains a newline not followed by whitespace:
test="test/,
- 'invalid CRLF caught';
+ throws_ok { $cgi->header( '-Test' =>
"test$possible_crlf{$k}$possible_crlf{$k} part" ) }
+ qr/Invalid header value contains a newline not followed by whitespace:
test="test/,
+ 'invalid CRLF caught for double ' . $k;
+ throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}part" ) }
+ qr/Invalid header value contains a newline not followed by whitespace:
test="test/,
+ "invalid $k caught not followed by whitespace";
+}
--- End Message ---
