Bug#1112368: marked as done (bookworm-pu: package libcgi-simple-perl/1.280-2+deb12u1)

Debian Bug Tracking System Sat, 06 Sep 2025 04:46:27 -0700

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id 
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112368,
regarding bookworm-pu: package libcgi-simple-perl/1.280-2+deb12u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1112368: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112368
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], Debian Perl Group 
<[email protected]>, gregor herrmann 
<[email protected]>, Ansgar Burchardt <[email protected]>, Niko Tyni 
<[email protected]>, Dominic Hargreaves <[email protected]>, [email protected]
Control: affects -1 + src:libcgi-simple-perl
User: [email protected]
Usertags: pu


Hi Stable release managers,

[ Reason ]
libcgi-simple-perl is affected by CVE-2025-40927, a HTTP response
flaw.

https://lists.security.metacpan.org/cve-announce/msg/32357435/

It is somehow related to CVE-2010-4410, CVE-2010-4411 and covers mor
ecompletely the cases, so the CVE-2010-4411 patch is now superseeded
by the new upstrem change.

[ Impact ]
Users of CGI::Simple will remain vulnerable to CVE-2025-40927.

[ Tests ]
The new upstream version contains an updated test to cover the
additional cases which fail before, and pass afterwards. The 
additional tests are included as well along with the cerry-picked fix.

[ Risks ]
Targeted fix with test suite coverage (additional tests).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- Fix for CVE-2025-40927 and drop the superseeded patch for
  CVE-2010-4411.

Regards,
Salvatore

diff -Nru libcgi-simple-perl-1.280/debian/changelog 
libcgi-simple-perl-1.280/debian/changelog
--- libcgi-simple-perl-1.280/debian/changelog   2022-10-13 23:56:51.000000000 
+0200
+++ libcgi-simple-perl-1.280/debian/changelog   2025-08-29 05:59:56.000000000 
+0200
@@ -1,3 +1,12 @@
+libcgi-simple-perl (1.280-2+deb12u1) bookworm; urgency=medium
+
+  * Drop "Port latest header-injection refinement from CGI.pm" patch.
+    (superseeded by the patch for CVE-2025-40927)
+  * Sanitize all user-supplied values before inserting into HTTP headers
+    (CVE-2025-40927)
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 29 Aug 2025 05:59:56 +0200
+
 libcgi-simple-perl (1.280-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru 
libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch
 
libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch
--- 
libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch
  2025-08-29 05:59:56.000000000 +0200
@@ -0,0 +1,95 @@
+From: Mohammad Sajid Anwar <[email protected]>
+Date: Thu, 28 Aug 2025 20:12:23 +0100
+Subject: - Sanitize all user-supplied values before inserting into HTTP
+ headers.   Thanks Maxim Kosenko for raising the issue with recommended
+ solution.   Thanks breno for the patch.   Thanks Stig Palmquist for assiginig
+ it CVE-2025-40927.
+Origin: 
https://github.com/manwar/CGI--Simple/commit/0c1a2e0b8f24804d33daac686666ac944363a630
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40927
+
+---
+ Changes                    |  6 ++++++
+ lib/CGI/Simple.pm          | 12 +++++++-----
+ lib/CGI/Simple/Cookie.pm   |  2 +-
+ lib/CGI/Simple/Standard.pm |  2 +-
+ lib/CGI/Simple/Util.pm     |  2 +-
+ t/120.header-crlf.t        | 28 ++++++++++++++++++++--------
+ 6 files changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/lib/CGI/Simple.pm b/lib/CGI/Simple.pm
+index ebf13706f987..5125533dfdb1 100644
+--- a/lib/CGI/Simple.pm
++++ b/lib/CGI/Simple.pm
+@@ -998,6 +998,7 @@ sub header {
+    );
+ 
+   my $CRLF = $self->crlf;
++  my $ALL_POSSIBLE_CRLF = qr/(?:\r\n|\n|\015\012)/;
+ 
+   # CR escaping for values, per RFC 822
+   for my $header (
+@@ -1007,11 +1008,12 @@ sub header {
+     if ( defined $header ) {
+       # From RFC 822:
+       # Unfolding  is  accomplished  by regarding   CRLF   immediately
+-      # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+-      $header =~ s/$CRLF(\s)/$1/g;
++      # followed  by  a  LWSP-char  as equivalent to the LWSP-char
++      # (defined in the RFC as a space or a horizontal tab).
++      $header =~ s/$ALL_POSSIBLE_CRLF([ \t])/$1/g;
+ 
+       # All other uses of newlines are invalid input.
+-      if ( $header =~ m/$CRLF/ ) {
++      if ( $header =~ m/$ALL_POSSIBLE_CRLF/ ) {
+         # shorten very long values in the diagnostic
+         $header = substr( $header, 0, 72 ) . '...'
+          if ( length $header > 72 );
+
+diff --git a/t/120.header-crlf.t b/t/120.header-crlf.t
+index d6a4dca78c41..7834b77e8022 100644
+--- a/t/120.header-crlf.t
++++ b/t/120.header-crlf.t
+@@ -1,5 +1,5 @@
+ use strict;
+-use Test::More tests => 2;
++use Test::More tests => 9;
+ use Test::Exception;
+ use CGI::Simple;
+ 
+@@ -7,14 +7,26 @@ my $cgi = CGI::Simple->new;
+ 
+ my $CRLF = $cgi->crlf;
+ 
+-is( $cgi->header( '-Test' => "test$CRLF part" ),
+-    "Test: test part"
++my %possible_crlf = (
++    '\n'       => "\n",
++    '\r\n'     => "\r\n",
++    '\015\012' => "\015\012",
++);
++for my $k (sort keys %possible_crlf) {
++    is(
++        $cgi->header( '-Test' => "test$possible_crlf{$k} part" ),
++        "Test: test part"
+         . $CRLF
+         . 'Content-Type: text/html; charset=ISO-8859-1'
+         . $CRLF
+-        . $CRLF
+-);
++        . $CRLF,
++        "header value with $k + space drops the $k and is valid"
++    );
+ 
+-throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
+-qr/Invalid header value contains a newline not followed by whitespace: 
test="test/,
+-    'invalid CRLF caught';
++    throws_ok { $cgi->header( '-Test' => 
"test$possible_crlf{$k}$possible_crlf{$k} part" ) }
++    qr/Invalid header value contains a newline not followed by whitespace: 
test="test/,
++        'invalid CRLF caught for double ' . $k;
++        throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}part" ) }
++        qr/Invalid header value contains a newline not followed by 
whitespace: test="test/,
++        "invalid $k caught not followed by whitespace";
++}
+-- 
+2.51.0
+
diff -Nru libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch 
libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch
--- libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch 2022-10-13 
23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch 1970-01-01 
01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-Author: Mark Stosberg <[email protected]>
-Origin: 
http://github.com/markstos/CGI--Simple/commit/daff9ca164a7d88d68b6d4d729331e03e32d00dd
-Origin: 
http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da
-Subject: [CVE-2010-4411] Port latest header-injection refinement from CGI.pm
-
-See also http://www.openwall.com/lists/oss-security/2011/01/04/9
-
---- a/lib/CGI/Simple.pm
-+++ b/lib/CGI/Simple.pm
-@@ -1011,7 +1011,7 @@
-       $header =~ s/$CRLF(\s)/$1/g;
- 
-       # All other uses of newlines are invalid input.
--      if ( $header =~ m/$CRLF/ ) {
-+      if ($header =~ m/$CRLF|\015|\012/) {
-         # shorten very long values in the diagnostic
-         $header = substr( $header, 0, 72 ) . '...'
-          if ( length $header > 72 );
---- a/t/headers.t
-+++ b/t/headers.t
-@@ -76,3 +76,9 @@
-   'redirect with leading newlines blows up'
- );
- 
-+{
-+    my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>');
-+    my $out;
-+    eval { $out = $cgi->redirect( $cgi->param('t') ) };
-+    like($@,qr/contains a newline/, "redirect does not allow double-newline 
injection");
-+}
diff -Nru libcgi-simple-perl-1.280/debian/patches/series 
libcgi-simple-perl-1.280/debian/patches/series
--- libcgi-simple-perl-1.280/debian/patches/series      2022-10-13 
23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/patches/series      2025-08-29 
05:59:56.000000000 +0200
@@ -1,2 +1,2 @@
-cve-2010-4411.patch
 no-shellwords-pl.patch
+Sanitize-all-user-supplied-values-before-inserting-i.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---

Bug#1112368: marked as done (bookworm-pu: package libcgi-simple-perl/1.280-2+deb12u1)

Reply via email to