Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Thu, Jan 13, 2011 at 10:35:00PM +, Adam D. Barratt wrote:
On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote:
I've now uploaded
- 3.38-2lenny2
I've flagged the lenny package to be accepted at the next dinstall;
While preparing the perl lenny upload I had a look at this. I see Gregor
used my proposed patch from 27 Dec [1]; however I later noticed at least
the doc addition in CGI.pm is wrong [2].
Upstream is going to change the documentation back rather than change
the behaviour [3], so I don't think we should be including this change.
While at it, I'm pretty sure the //s change in the previous hunk is a
no-op (because the earlier change makes sure there are no newlines in
@other) and I'm not including it with the perl uploads. Eyeballs welcome
of course.
So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in
the attachments - the first one is the debdiff against 3.38-2lenny2 in
proposed-updates, the second one is against 3.38-2lenny1 in stable.
Gregor, I hope you're OK with this?
I'm sorry I failed to communicate this better; the bug log is getting
rather long and I can certainly see the potential for things to get lost.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#44
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#86
[3] http://rt.cpan.org/Public/Bug/Display.html?id=64554
Cheers,
--
Niko Tyni nt...@debian.org
diff -u libcgi-pm-perl-3.38/debian/changelog
libcgi-pm-perl-3.38/debian/changelog
--- libcgi-pm-perl-3.38/debian/changelog
+++ libcgi-pm-perl-3.38/debian/changelog
@@ -1,3 +1,11 @@
+libcgi-pm-perl (3.38-2lenny3) stable; urgency=low
+
+ * Slightly amend the previous patch:
++ drop an incorrect documentation change
++ drop an unnecessary regexp modifier change
+
+ -- Niko Tyni nt...@debian.org Fri, 14 Jan 2011 13:27:36 +0200
+
libcgi-pm-perl (3.38-2lenny2) stable; urgency=low
* [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
diff -u
libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
---
libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
+++
libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
@@ -46,34 +46,6 @@
$nph ||= $NPH;
$type ||= 'text/html' unless defined($type);
-@@ -1482,7 +1506,7 @@
- # need to fix it up a little.
- foreach (@other) {
- # Don't use \s because of perl bug 21951
--next unless my($header,$value) = /([^ \r\n\t=]+)=\?(.+?)\?$/;
-+next unless my($header,$value) = /([^ \r\n\t=]+)=\?(.+?)\?$/s;
- ($_ = $header) =~ s/^(\w)(.*)/\u$1\L$2 . ':
'.$self-unescapeHTML($value)/e;
- }
-
-@@ -5101,6 +5125,18 @@
-
- P3P: policyref=/w3c/p3p.xml cp=CAO DSP LAW CURa
-
-+Note that if a header value contains a carriage return, a leading space will
be
-+added to each new line that doesn't already have one as specified by RFC2616
-+section 4.2. For example:
-+
-+print header( -ingredients = ham\neggs\nbacon );
-+
-+will generate
-+
-+Ingredients: ham
-+ eggs
-+ bacon
-+
- =head2 GENERATING A REDIRECTION HEADER
-
-print redirect('http://somewhere.else/in/movie/land');
--- /dev/null
+++ b/t/headers.t
@@ -0,0 +1,47 @@
diff -u libcgi-pm-perl-3.38/debian/changelog
libcgi-pm-perl-3.38/debian/changelog
--- libcgi-pm-perl-3.38/debian/changelog
+++ libcgi-pm-perl-3.38/debian/changelog
@@ -1,3 +1,19 @@
+libcgi-pm-perl (3.38-2lenny3) stable; urgency=low
+
+ * Slightly amend the previous patch:
++ drop an incorrect documentation change
++ drop an unnecessary regexp modifier change
+
+ -- Niko Tyni nt...@debian.org Fri, 14 Jan 2011 13:27:36 +0200
+
+libcgi-pm-perl (3.38-2lenny2) stable; urgency=low
+
+ * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
+CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
+patch (closes: #606370).
+
+ -- gregor herrmann gre...@debian.org Thu, 13 Jan 2011 22:49:36 +0100
+
libcgi-pm-perl (3.38-2lenny1) stable; urgency=low
* Fix unwanted ISO-8859-1 - UTF-8 conversion in CGI::Util::escape().
diff -u libcgi-pm-perl-3.38/debian/patches/series
libcgi-pm-perl-3.38/debian/patches/series
--- libcgi-pm-perl-3.38/debian/patches/series
+++ libcgi-pm-perl-3.38/debian/patches/series
@@ -2,0 +3 @@
+CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
only in patch2:
unchanged:
---
libcgi-pm-perl-3.38.orig/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
+++
libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
@@ -0,0 +1,121 @@
+Description: backport fixes for CVE-2010-2761, CVE-2010-4410, CVE-2010-4411
from 3.50 and 3.51
+Bug: http://bugs.debian.org/606370
+Author: Niko Tyni nt...@debian.org
+Reviewed-by: gregor herrmann gre...@debian.org
+Last-Update: 2011-01-13
+
+--- a/CGI.pm
b/CGI.pm
+@@ -1382,7
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Fri, January 14, 2011 11:40, Niko Tyni wrote: While preparing the perl lenny upload I had a look at this. I see Gregor used my proposed patch from 27 Dec [1]; however I later noticed at least the doc addition in CGI.pm is wrong [2]. Upstream is going to change the documentation back rather than change the behaviour [3], so I don't think we should be including this change. While at it, I'm pretty sure the //s change in the previous hunk is a no-op (because the earlier change makes sure there are no newlines in @other) and I'm not including it with the perl uploads. Eyeballs welcome of course. So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in the attachments - the first one is the debdiff against 3.38-2lenny2 in proposed-updates, the second one is against 3.38-2lenny1 in stable. Yes, that would be okay; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Fri, 14 Jan 2011 13:40:15 +0200, Niko Tyni wrote: - 3.38-2lenny2 I've flagged the lenny package to be accepted at the next dinstall; While preparing the perl lenny upload I had a look at this. I see Gregor used my proposed patch from 27 Dec [1]; however I later noticed at least the doc addition in CGI.pm is wrong [2]. Oops ... Gregor, I hope you're OK with this? Sure! And sorry for causing extra work ... Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Schmetterlinge: Geschichte vom Arbeiter Willi K signature.asc Description: Digital signature
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Fri, 14 Jan 2011 13:08:37 -, Adam D. Barratt wrote: So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in the attachments - the first one is the debdiff against 3.38-2lenny2 in proposed-updates, the second one is against 3.38-2lenny1 in stable. Yes, that would be okay; thanks. I've uploaded 3.38-2lenny3 with this debdiff now. Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Jimi Hendrix: Hear My Train A Comin' signature.asc Description: Digital signature
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Fri, 2011-01-14 at 23:29 +0100, gregor herrmann wrote: On Fri, 14 Jan 2011 13:08:37 -, Adam D. Barratt wrote: So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in the attachments - the first one is the debdiff against 3.38-2lenny2 in proposed-updates, the second one is against 3.38-2lenny1 in stable. Yes, that would be okay; thanks. I've uploaded 3.38-2lenny3 with this debdiff now. Accepted, pending dinstall; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Tue, 11 Jan 2011 22:16:23 +0200, Niko Tyni wrote: I've also updated libcgi-pm-perl in the pkg-perl SVN repository to 3.51, which fixes this. I didn't upload it yet as my time window for this is closing fast. Thanks! It would be great if somebody could pick up this and the tpu upload of 3.49. I've now uploaded - 3.51-1 - 3.49-1squeeze1 - 3.38-2lenny2 to the respective suites. I was a bit hesitant since I haven't seen a comment from the RT about the uploads to lenny/squeeeze; but they can still decide now if they accept the packages or not :) Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Steppenwolf: The Ostrich signature.asc Description: Digital signature
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote: I've now uploaded - 3.51-1 - 3.49-1squeeze1 - 3.38-2lenny2 to the respective suites. I was a bit hesitant since I haven't seen a comment from the RT about the uploads to lenny/squeeeze; but they can still decide now if they accept the packages or not :) We were so keen for squeeze that Julien and I both added approve hints at the same time. ;-) I've flagged the lenny package to be accepted at the next dinstall; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Thu, 13 Jan 2011 22:35:00 +, Adam D. Barratt wrote: I was a bit hesitant since I haven't seen a comment from the RT about the uploads to lenny/squeeeze; but they can still decide now if they accept the packages or not :) We were so keen for squeeze that Julien and I both added approve hints at the same time. ;-) Heh, that's great service :) I've flagged the lenny package to be accepted at the next dinstall; thanks. Thanks to you! Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Joe Cocker: Just Like A Woman signature.asc Description: Digital signature
Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Thu, Jan 13, 2011 at 10:35:00PM +, Adam D. Barratt wrote: On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote: I've now uploaded - 3.38-2lenny2 I was a bit hesitant since I haven't seen a comment from the RT about the uploads to lenny/squeeeze; but they can still decide now if they accept the packages or not :) I've flagged the lenny package to be accepted at the next dinstall; thanks. I thought stable would be fixed with a DSA, but as the next Lenny point release will be out real soon (Jan 22nd, stable NEW freezes on the 17th), I suppose that's just as good. Cc'ing the security team. I'll try to get a perl lenny upload (#606995) in stable NEW by Monday. That still leaves libcgi-simple-perl (#606379) unfixed. Is anybody looking at that? -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Fri, Jan 07, 2011 at 02:48:28PM +0200, Niko Tyni wrote: Done, just uploaded perl/5.10.1-17 with the attached patch. I've also updated libcgi-pm-perl in the pkg-perl SVN repository to 3.51, which fixes this. I didn't upload it yet as my time window for this is closing fast. It would be great if somebody could pick up this and the tpu upload of 3.49. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Thu, Jan 06, 2011 at 10:37:11PM +0200, Niko Tyni wrote:
On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
Assuming this is the case, I'm attaching preliminary patches for
3.29 (perl-modules / lenny)
3.38 (libcgi-pm-perl / lenny)
3.43 (perl-modules / squeeze + sid)
3.49 (libcgi-pm-perl / squeeze)
3.50 (libcgi-pm-perl / sid)
All this means I need another test session when I'm feeling less tired,
so no perl upload tonight.
Done, just uploaded perl/5.10.1-17 with the attached patch.
Changes:
perl (5.10.1-17) unstable; urgency=medium
.
* [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
fix CGI.pm MIME boundary and multiline header vulnerabilities.
(Closes: #606995)
Release team: please consider
unblock perl/5.10.1-17
The patch applies to lenny (5.10.0-19lenny2) as well with some fuzz after
s/rearrange_header/rearrange/.
Moritz: shall I upload a fixed lenny package to stable-security?
FWIW, I'd prefer to wait the five days for squeeze migration before a
DSA in case we get any regression reports.
--
Niko Tyni nt...@debian.org
From: Niko Tyni nt...@debian.org
Subject: [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities
Origin: upstream
Bug-Debian: http://bugs.debian.org/606995
CVE-2010-2761 hardcoded MIME boundary, fixed in CGI.pm-3.50
CVE-2010-4410 CRLF injection vulnerability, fixed in CGI.pm-3.50
CVE-2010-4411 double CR/LF injection vulnerability, fixed in CGI.pm-3.51
---
MANIFEST |2 +
lib/CGI.pm | 26 +++-
lib/CGI/t/headers.t| 47
lib/CGI/t/multipart_init.t | 20 ++
4 files changed, 94 insertions(+), 1 deletions(-)
diff --git a/MANIFEST b/MANIFEST
index 2b5a968..e0e950f 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1935,7 +1935,9 @@ lib/CGI/t/cookie.t See if CGI::Cookie works
lib/CGI/t/fast.t See if CGI::Fast works (if FCGI is installed)
lib/CGI/t/form.t See if CGI.pm works
lib/CGI/t/function.t See if CGI.pm works
+lib/CGI/t/headers.t See if CGI.pm works
lib/CGI/t/html.t See if CGI.pm works
+lib/CGI/t/multipart_init.t See if CGI.pm works
lib/CGI/t/no_tabindex.t See if CGI.pm works
lib/CGI/t/pretty.t See if CGI.pm works
lib/CGI/t/push.t See if CGI::Push works
diff --git a/lib/CGI.pm b/lib/CGI.pm
index 008bc7b..d859e76 100644
--- a/lib/CGI.pm
+++ b/lib/CGI.pm
@@ -1382,7 +1382,14 @@ END_OF_FUNC
sub multipart_init {
my($self,@p) = self_or_default(@_);
my($boundary,@other) = rearrange_header([BOUNDARY],@p);
-$boundary = $boundary || '--- =_aa0';
+if (!$boundary) {
+$boundary = '--- =_';
+my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+for (1..17) {
+$boundary .= $chrs[rand(scalar @chrs)];
+}
+}
+
$self-{'separator'} = $CRLF--$boundary$CRLF;
$self-{'final_separator'} = $CRLF--$boundary--$CRLF;
$type = SERVER_PUSH($boundary);
@@ -1467,6 +1474,23 @@ sub header {
'EXPIRES','NPH','CHARSET',
'ATTACHMENT','P3P'],@p);
+# CR escaping for values, per RFC 822
+for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+if (defined $header) {
+# From RFC 822:
+# Unfolding is accomplished by regarding CRLF immediately
+# followed by a LWSP-char as equivalent to the LWSP-char.
+$header =~ s/$CRLF(\s)/$1/g;
+
+# All other uses of newlines are invalid input.
+if ($header =~ m/$CRLF|\015|\012/) {
+# shorten very long values in the diagnostic
+$header = substr($header,0,72).'...' if (length $header 72);
+die Invalid header value contains a newline not followed by whitespace: $header;
+}
+}
+ }
+
$nph ||= $NPH;
$type ||= 'text/html' unless defined($type);
diff --git a/lib/CGI/t/headers.t b/lib/CGI/t/headers.t
new file mode 100755
index 000..661b74b
--- /dev/null
+++ b/lib/CGI/t/headers.t
@@ -0,0 +1,47 @@
+
+# Test that header generation is spec compliant.
+# References:
+# http://www.w3.org/Protocols/rfc2616/rfc2616.html
+# http://www.w3.org/Protocols/rfc822/3_Lexical.html
+
+use strict;
+use warnings;
+
+use Test::More 'no_plan';
+
+use CGI;
+
+my $cgi = CGI-new;
+
+like $cgi-header( -type = text/html ),
+qr#Type: text/html#, 'known header, basic case: type = text/html';
+
+eval { $cgi-header( -type = text/html.$CGI::CRLF.evil: stuff ) };
+like($@,qr/contains a newline/,'invalid header blows up');
+
+like $cgi-header( -type = text/html.$CGI::CRLF. evil: stuff ),
+qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
+eval { $cgi-header( -foobar = text/html.$CGI::CRLF.evil: stuff ) };
+like($@,qr/contains a
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Fri, January 7, 2011 12:48, Niko Tyni wrote: Done, just uploaded perl/5.10.1-17 with the attached patch. Changes: perl (5.10.1-17) unstable; urgency=medium . * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411: fix CGI.pm MIME boundary and multiline header vulnerabilities. (Closes: #606995) Unblocked; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Fri, Jan 07, 2011 at 02:48:28PM +0200, Niko Tyni wrote: On Thu, Jan 06, 2011 at 10:37:11PM +0200, Niko Tyni wrote: On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote: Assuming this is the case, I'm attaching preliminary patches for 3.29 (perl-modules / lenny) 3.38 (libcgi-pm-perl / lenny) 3.43 (perl-modules / squeeze + sid) 3.49 (libcgi-pm-perl / squeeze) 3.50 (libcgi-pm-perl / sid) All this means I need another test session when I'm feeling less tired, so no perl upload tonight. Done, just uploaded perl/5.10.1-17 with the attached patch. Changes: perl (5.10.1-17) unstable; urgency=medium . * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411: fix CGI.pm MIME boundary and multiline header vulnerabilities. (Closes: #606995) Release team: please consider unblock perl/5.10.1-17 The patch applies to lenny (5.10.0-19lenny2) as well with some fuzz after s/rearrange_header/rearrange/. Moritz: shall I upload a fixed lenny package to stable-security? FWIW, I'd prefer to wait the five days for squeeze migration before a DSA in case we get any regression reports. Let's wait a bit, it's not urgent. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote: Assuming this is the case, I'm attaching preliminary patches for 3.29 (perl-modules / lenny) 3.38 (libcgi-pm-perl / lenny) 3.43 (perl-modules / squeeze + sid) 3.49 (libcgi-pm-perl / squeeze) 3.50 (libcgi-pm-perl / sid) They include relevant test suite additions from the github repository and a small test fix I sent to [rt.cpan.org #64261]. Eyeballs and testing would be welcome. In particular, I'm not entirely sure about the //s modifier change in header() around CGI.pm:1500 in the pre-3.49 patches. The change was introduced upstream with 3.49 along with the header fixes but it's not covered by the test suite. I believe this change has no effect: the earlier part of the code checks that there are no newlines in the header string, so //s should make no difference. I'll probably include it anyway. However, my testing turned out another problem. This hunk from the pre-3.49 patches: +Note that if a header value contains a carriage return, a leading space will be +added to each new line that doesn't already have one as specified by RFC2616 +section 4.2. For example: + +print header( -ingredients = ham\neggs\nbacon ); + +will generate + +Ingredients: ham + eggs + bacon + is only true for 3.49; it broke with 3.50 and further with 3.51 due to the same security changes we're working on. I've reported this as http://rt.cpan.org/Public/Bug/Display.html?id=64554 and will probably just drop the above doc change from the perl-modules patch. Furthermore, the perl-modules patches need an additional change to the top-level MANIFEST so that the tests actually get run. All this means I need another test session when I'm feeling less tired, so no perl upload tonight. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote: On Mon, Dec 27, 2010 at 03:33:21PM +0200, Niko Tyni wrote: On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote: On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote: Moritz Muehlenhoff j...@debian.org writes: Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d Mark, is this double newline injection fix the new patch referred above? I think this is confirmed by http://www.openwall.com/lists/oss-security/2011/01/04/9 which also contains a link to the corresponding CGI-Simple fix at http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da There's going to be a new upstream release of CGI.pm soon. I hope I can make the time for perl 5.10.1-17 to unstable with just the CGI.pm fixes and urgency=high in the next few days. (If somebody else wants to do it, I'm ecstatic.) -- Niko Tyni nt...@debian.orgg -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote: On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote: On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: Assuming this is the case, I'm attaching preliminary patches for Thanks! Could you upload the fixes targeted at squeeze to tpu? I'm happy to take care of libcgi-pm-perl. If the release team agrees (cc'ed) that could be - 3.38-2lenny2 / stable-proposed-updates - 3.49-1squeeze1 / testing-proposed-updates - 3.50-2 / unstable (Alternative: just upload 3.50-2 to unstable and let it migrate to testing.) I'd rather leave perl-modules to Niko. Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by Damyan in our repo (plus tons of unrelated changes that have accumulated since the last upload :/) but (b) also a new upstream release: http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes 1.113 2010-12-27 - (thanks to Yamada Masahiro) randomise multipart boundary string (security). ... Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks. Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix. Port CRLF injection prevention from CGI.pm I'm not sure what the best way to proceed is here; mabye Damyan has more ideas since he's already worked on that package? Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Beatles: Helter Skelter signature.asc Description: Digital signature
Bug#606370: Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Tue, Jan 4, 2011 at 19:45:56 +0100, gregor herrmann wrote: On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote: On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote: On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: Assuming this is the case, I'm attaching preliminary patches for Thanks! Could you upload the fixes targeted at squeeze to tpu? I'm happy to take care of libcgi-pm-perl. If the release team agrees (cc'ed) that could be debian-rele...@lists works better than debian-rele...@bugs. Fixed. - 3.38-2lenny2 / stable-proposed-updates - 3.49-1squeeze1 / testing-proposed-updates - 3.50-2 / unstable (Alternative: just upload 3.50-2 to unstable and let it migrate to testing.) I'd rather leave perl-modules to Niko. Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by Damyan in our repo (plus tons of unrelated changes that have accumulated since the last upload :/) but (b) also a new upstream release: http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes 1.113 2010-12-27 - (thanks to Yamada Masahiro) randomise multipart boundary string (security). ... Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks. Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix. Port CRLF injection prevention from CGI.pm I'm not sure what the best way to proceed is here; mabye Damyan has more ideas since he's already worked on that package? Cheers, Julien signature.asc Description: Digital signature
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote: tag 606370 + patch tag 606995 + patch thanks On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d Thanks for digging this out; I was looking a few times and never understood CVE-2010-4411 ... Assuming this is the case, I'm attaching preliminary patches for Thanks! I haven't looked at libcgi-simple-perl at all. I think Damyan has started to look at it. Could you upload the fixes targeted at squeeze to tpu? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote: On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote: Moritz Muehlenhoff j...@debian.org writes: Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? We should probably wait until the issue is really fixed: | 2. Further improvements to handling of newlines embedded in header | values. [...] | Yes, it is. However, later testing found that the issue wasn't | completely fixed in 3.50. A new patch has been developed, and is | currently pending review and acceptance by the primary CGI.pm author, | Lincoln Stein. (Now CC'ed). -- http://openwall.com/lists/oss-security/2010/12/01/3 [ I'm adding Lincoln to CC. ] Lincoln, were're trying to fix CVE-2010-4411 for the upcoming Debian release. Is a final patch already available? I see Mark Stosberg (CC'd as well) recently pushed this into the CGI.pm github repository: https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d Mark, is this double newline injection fix the new patch referred above? Thanks for your work, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Mon, Dec 27, 2010 at 03:33:21PM +0200, Niko Tyni wrote:
On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote:
On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
Moritz Muehlenhoff j...@debian.org writes:
Three security issues have been reported in libcgi-pm-perl:
http://security-tracker.debian.org/tracker/CVE-2010-2761
http://security-tracker.debian.org/tracker/CVE-2010-4410
http://security-tracker.debian.org/tracker/CVE-2010-4411
I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the
fix for CVE-2010-2761 was not complete, but it is not a different, new
issue?
https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d
Mark, is this double newline injection fix the new patch referred above?
Assuming this is the case, I'm attaching preliminary patches for
3.29 (perl-modules / lenny)
3.38 (libcgi-pm-perl / lenny)
3.43 (perl-modules / squeeze + sid)
3.49 (libcgi-pm-perl / squeeze)
3.50 (libcgi-pm-perl / sid)
They include relevant test suite additions from the github repository
and a small test fix I sent to [rt.cpan.org #64261].
Eyeballs and testing would be welcome. In particular, I'm not entirely
sure about the //s modifier change in header() around CGI.pm:1500 in
the pre-3.49 patches. The change was introduced upstream with 3.49 along
with the header fixes but it's not covered by the test suite.
I haven't looked at libcgi-simple-perl at all.
--
Niko Tyni nt...@debian.org
diff --git a/lib/CGI.pm b/lib/CGI.pm
index 1bc74a3..191fb54 100644
--- a/lib/CGI.pm
+++ b/lib/CGI.pm
@@ -1379,7 +1379,14 @@ END_OF_FUNC
sub multipart_init {
my($self,@p) = self_or_default(@_);
my($boundary,@other) = rearrange([BOUNDARY],@p);
-$boundary = $boundary || '--- =_aa0';
+if (!$boundary) {
+$boundary = '--- =_';
+my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+for (1..17) {
+$boundary .= $chrs[rand(scalar @chrs)];
+}
+}
+
$self-{'separator'} = $CRLF--$boundary$CRLF;
$self-{'final_separator'} = $CRLF--$boundary--$CRLF;
$type = SERVER_PUSH($boundary);
@@ -1464,6 +1471,23 @@ sub header {
'EXPIRES','NPH','CHARSET',
'ATTACHMENT','P3P'],@p);
+# CR escaping for values, per RFC 822
+for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+if (defined $header) {
+# From RFC 822:
+# Unfolding is accomplished by regarding CRLF immediately
+# followed by a LWSP-char as equivalent to the LWSP-char.
+$header =~ s/$CRLF(\s)/$1/g;
+
+# All other uses of newlines are invalid input.
+if ($header =~ m/$CRLF|\015|\012/) {
+# shorten very long values in the diagnostic
+$header = substr($header,0,72).'...' if (length $header 72);
+die Invalid header value contains a newline not followed by whitespace: $header;
+}
+}
+ }
+
$nph ||= $NPH;
$type ||= 'text/html' unless defined($type);
@@ -1479,7 +1503,7 @@ sub header {
# need to fix it up a little.
foreach (@other) {
# Don't use \s because of perl bug 21951
-next unless my($header,$value) = /([^ \r\n\t=]+)=\?(.+?)\?$/;
+next unless my($header,$value) = /([^ \r\n\t=]+)=\?(.+?)\?$/s;
($_ = $header) =~ s/^(\w)(.*)/\u$1\L$2 . ': '.$self-unescapeHTML($value)/e;
}
@@ -5052,6 +5076,18 @@ In either case, the outgoing header will be formatted as:
P3P: policyref=/w3c/p3p.xml cp=CAO DSP LAW CURa
+Note that if a header value contains a carriage return, a leading space will be
+added to each new line that doesn't already have one as specified by RFC2616
+section 4.2. For example:
+
+print header( -ingredients = ham\neggs\nbacon );
+
+will generate
+
+Ingredients: ham
+ eggs
+ bacon
+
=head2 GENERATING A REDIRECTION HEADER
print redirect('http://somewhere.else/in/movie/land');
diff --git a/lib/CGI/t/headers.t b/lib/CGI/t/headers.t
new file mode 100644
index 000..661b74b
--- /dev/null
+++ b/lib/CGI/t/headers.t
@@ -0,0 +1,47 @@
+
+# Test that header generation is spec compliant.
+# References:
+# http://www.w3.org/Protocols/rfc2616/rfc2616.html
+# http://www.w3.org/Protocols/rfc822/3_Lexical.html
+
+use strict;
+use warnings;
+
+use Test::More 'no_plan';
+
+use CGI;
+
+my $cgi = CGI-new;
+
+like $cgi-header( -type = text/html ),
+qr#Type: text/html#, 'known header, basic case: type = text/html';
+
+eval { $cgi-header( -type = text/html.$CGI::CRLF.evil: stuff ) };
+like($@,qr/contains a newline/,'invalid header blows up');
+
+like $cgi-header( -type = text/html.$CGI::CRLF. evil: stuff ),
+qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
+eval {
Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
tag 606370 + patch tag 606995 + patch thanks On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d Thanks for digging this out; I was looking a few times and never understood CVE-2010-4411 ... Assuming this is the case, I'm attaching preliminary patches for Thanks! I haven't looked at libcgi-simple-perl at all. I think Damyan has started to look at it. Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Beatles signature.asc Description: Digital signature
Processed: Re: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Processing commands for cont...@bugs.debian.org: tag 606370 + patch Bug #606370 [libcgi-pm-perl] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 Added tag(s) patch. tag 606995 + patch Bug #606995 [perl-modules] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 606995: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606995 606370: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Wed, Dec 08, 2010 at 07:47:18PM +0100, Moritz Muehlenhoff wrote: Package: libcgi-pm-perl Version: 3.49-1 Severity: grave Tags: security Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 The first two issues are fixed in 3.50 (already in sid), but the second is still pending a final fix (see the referenced link). Please get in touch with the release team to check, whether migrating 3.50 plus the fix for CVE-2010-4411 or uploading a tpu fix with 3.49 plus the security fixes is the best way to resolve this. Please note that CGI.pm is also in perl-modules. I'm unfortunately busy ATM, and I'd very much appreciate a clone of this bug with proposed patches. NMUs are also fine by me. % corelist -a CGI | fgrep v5.10 v5.10.03.29 v5.10.13.43 -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Package: libcgi-pm-perl Version: 3.49-1 Severity: grave Tags: security Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 The first two issues are fixed in 3.50 (already in sid), but the second is still pending a final fix (see the referenced link). Please get in touch with the release team to check, whether migrating 3.50 plus the fix for CVE-2010-4411 or uploading a tpu fix with 3.49 plus the security fixes is the best way to resolve this. Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
clone 606370 -1 reassign -1 libcgi-simple-perl thanks On Wed, 08 Dec 2010 19:47:18 +0100, Moritz Muehlenhoff wrote: Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 The first two issues are fixed in 3.50 (already in sid), but the second is still pending a final fix (see the referenced link). http://security-tracker.debian.org/tracker/CVE-2010-4410 says: CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier ... CGI::Simple is in libcgi-simple-perl, cloning/reassigning. Hm, and I'm a bit confused by first two issues are fixed and the second Let's look if I got it right: CVE-2010-2761: The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier - libcgi-simple-perl - libcgi-pm-perl in squeeze and older CVE-2010-4410: CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier - libcgi-simple-perl - libcgi-pm-perl in squeeze and older CVE-2010-4411: Unspecified vulnerability in CGI.pm 3.50 and earlier - libcgi-pm-perl Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Donovan: Jennifer Juniper signature.asc Description: Digital signature
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
clone 606370 -1 found 606370 3.38-2lenny1 reassign -1 libcgi-simple-perl 1.105-1 thanks Moritz Muehlenhoff j...@debian.org writes: Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 The first two issues are fixed in 3.50 (already in sid), but the second is still pending a final fix (see the referenced link). Please get in touch with the release team to check, whether migrating 3.50 plus the fix for CVE-2010-4411 or uploading a tpu fix with 3.49 plus the security fixes is the best way to resolve this. In addition to Lenny's version of libcgi-pm-perl, the same issues also affect libcgi-simple-perl, including the version currently in unstable (1.111-1). I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? We should probably wait until the issue is really fixed: | 2. Further improvements to handling of newlines embedded in header | values. [...] | Yes, it is. However, later testing found that the issue wasn't | completely fixed in 3.50. A new patch has been developed, and is | currently pending review and acceptance by the primary CGI.pm author, | Lincoln Stein. (Now CC'ed). -- http://openwall.com/lists/oss-security/2010/12/01/3 Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Processing commands for cont...@bugs.debian.org: clone 606370 -1 Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 Bug 606370 cloned as bug 606379. found 606370 3.38-2lenny1 Bug #606370 [libcgi-pm-perl] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 Bug Marked as found in versions libcgi-pm-perl/3.38-2lenny1. reassign -1 libcgi-simple-perl 1.105-1 Bug #606379 [libcgi-pm-perl] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 Bug reassigned from package 'libcgi-pm-perl' to 'libcgi-simple-perl'. Bug No longer marked as found in versions libcgi-pm-perl/3.49-1. Bug #606379 [libcgi-simple-perl] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 Bug Marked as found in versions libcgi-simple-perl/1.105-1. thanks Stopping processing here. Please contact me if you need assistance. -- 606379: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606379 606370: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370 -1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=-1 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Wed, Dec 08, 2010 at 08:23:56PM +0100, gregor herrmann wrote: clone 606370 -1 reassign -1 libcgi-simple-perl thanks On Wed, 08 Dec 2010 19:47:18 +0100, Moritz Muehlenhoff wrote: Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 The first two issues are fixed in 3.50 (already in sid), but the second is still pending a final fix (see the referenced link). http://security-tracker.debian.org/tracker/CVE-2010-4410 says: CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier ... CGI::Simple is in libcgi-simple-perl, cloning/reassigning. Hm, and I'm a bit confused by first two issues are fixed and the second Let's look if I got it right: CVE-2010-2761: The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier - libcgi-simple-perl - libcgi-pm-perl in squeeze and older CVE-2010-4410: CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier - libcgi-simple-perl - libcgi-pm-perl in squeeze and older CVE-2010-4411: Unspecified vulnerability in CGI.pm 3.50 and earlier - libcgi-pm-perl Ack. Sorry for the confusion, I meant third instead of second. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote: clone 606370 -1 found 606370 3.38-2lenny1 reassign -1 libcgi-simple-perl 1.105-1 thanks Moritz Muehlenhoff j...@debian.org writes: Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 The first two issues are fixed in 3.50 (already in sid), but the second is still pending a final fix (see the referenced link). Please get in touch with the release team to check, whether migrating 3.50 plus the fix for CVE-2010-4411 or uploading a tpu fix with 3.49 plus the security fixes is the best way to resolve this. In addition to Lenny's version of libcgi-pm-perl, the same issues also affect libcgi-simple-perl, including the version currently in unstable (1.111-1). I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? We should probably wait until the issue is really fixed: | 2. Further improvements to handling of newlines embedded in header | values. [...] | Yes, it is. However, later testing found that the issue wasn't | completely fixed in 3.50. A new patch has been developed, and is | currently pending review and acceptance by the primary CGI.pm author, | Lincoln Stein. (Now CC'ed). -- http://openwall.com/lists/oss-security/2010/12/01/3 [ I'm adding Lincoln to CC. ] Lincoln, were're trying to fix CVE-2010-4411 for the upcoming Debian release. Is a final patch already available? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
