Bug#1132727: marked as done (trixie-pu: package awstats/7.9-1+deb13u1)

Sat, 16 May 2026 03:32:27 -0700 

Your message dated Sat, 16 May 2026 10:23:16 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1132727,
regarding trixie-pu: package awstats/7.9-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1132727: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132727
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:awstats
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Severity: normal

[ Reason ]
This fixes CVE-2025-63261: AWStats 8.0 is vulnerable to Command Injection via the open function. 

[ Impact ]
In some situations, mostly concerning web hosting panels, a malicious user with write privileges to the local filesystem may run arbitrary commands, possibly as a different awstats system user. 

[ Tests ]

I reproduced the issue and ensured it didn't happen with the fix.
I deployed the (very small) fix on 3 web servers that I administrate, and that run awstats hourly, to ensure no regression occurred.
The same fix was published to bullseye-lts and buster-elts last month, no issues reported. 

I ran common Debian tests through debusine:
https://debusine.debian.net/debian/developers/work-request/555861/

[ Risks ]
The fix is trivial and is a textbook example of insecure old-style Perl open, causing confusion between a filename with a trailing '|' and a request to pipe input from arbitrary commands: 
https://perldoc.perl.org/functions/open#Specifying-mode-and-filename-as-a-single-argument
https://perldoc.perl.org/functions/open#Whitespace-and-special-characters-in-the-filename-argument

[ Checklist ]

  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

Add CVE-2025-63261.patch with a one-liner fix.

[ Other info ]
Binary debdiff show that NEWS.Debian.gz is dropped, due to NEWS pruning in slightly newer debhelper (#1021607 - last entry was from 2006).
diff -Nru awstats-7.9/debian/changelog awstats-7.9/debian/changelog
--- awstats-7.9/debian/changelog	2023-08-28 09:03:39.000000000 +0200
+++ awstats-7.9/debian/changelog	2026-04-04 16:48:04.000000000 +0200
@@ -1,3 +1,11 @@
+awstats (7.9-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2025-63261: Fix a command injection vulnerability caused by using
+    Perl's 2-argument open() function. (Closes: #1131878)
+
+ -- Sylvain Beucler <[email protected]>  Sat, 04 Apr 2026 16:48:04 +0200
+
 awstats (7.9-1) unstable; urgency=medium
 
   * New maintainer (Closes: #755797)
diff -Nru awstats-7.9/debian/patches/CVE-2025-63261.patch awstats-7.9/debian/patches/CVE-2025-63261.patch
--- awstats-7.9/debian/patches/CVE-2025-63261.patch	1970-01-01 01:00:00.000000000 +0100
+++ awstats-7.9/debian/patches/CVE-2025-63261.patch	2026-04-04 11:06:15.000000000 +0200
@@ -0,0 +1,21 @@
+From: Chris Lamb <[email protected]>
+Date: Wed, 25 Mar 2026 11:43:54 -0700
+Subject: CVE-2025-63261: Fix a command injection vulnerability caused by using Perl's 2-argument open() function.
+
+---
+ wwwroot/cgi-bin/awstats.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: awstats-7.9/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-7.9.orig/wwwroot/cgi-bin/awstats.pl
++++ awstats-7.9/wwwroot/cgi-bin/awstats.pl
+@@ -7683,7 +7683,7 @@ sub Read_DNS_Cache {
+ 		LoadCache_hashfiles( $filetoload, $hashtoload );
+ 	}
+ 	if ( !scalar keys %$hashtoload ) {
+-		open( DNSFILE, "$filetoload" )
++		open( DNSFILE, "<", $filetoload )
+ 		  or error("Couldn't open DNS Cache file \"$filetoload\": $!");
+ 
+ #binmode DNSFILE;		# If we set binmode here, it seems that the load is broken on ActiveState 5.8
diff -Nru awstats-7.9/debian/patches/series awstats-7.9/debian/patches/series
--- awstats-7.9/debian/patches/series	2023-08-28 08:40:12.000000000 +0200
+++ awstats-7.9/debian/patches/series	2026-04-04 11:05:33.000000000 +0200
@@ -10,3 +10,4 @@
 2007_googleplus.patch
 2008_twitter.patch
 2009_googlesearch.patch
+CVE-2025-63261.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.5

This update has been released as part of Debian 13.5.

--- End Message ---

Reply via email to