Bug#739505: libcgi-application-perl: CVE-2013-7329: information disclosure flaw
Hi, I'm CGI-Application's maintainer in Fedora. I agree that the behavior when a runmode is not defined is surprising and a bug, but I think treating it as a full-blown security vulnerability in CGI::Application (as opposed to the calling application) may be overkill. That said, it looks like Fedora did treat it as a security update. Yup. I decided to err on the side of caution. Like you, I tend to think this is overkill but you never know what an application's ENV contains and I can see CGI-Application's behaviour coming as a surprise. The patch in the Github pull request does look correct (although it's an irritating patch from a security perspective since it includes apparently arbitrary code reformatting). Indeed. I took the liberty of taking only the parts of the patch that were important and leaving the code reformatting pieces behind. As a result, the patch Fedora ships is less intrusive than the one submitted upstream. You can get a copy of the patch by running the command: git clone git://pkgs.fedoraproject.org/perl-CGI-Application Emmanuel -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#739505: libcgi-application-perl: CVE-2013-7329: information disclosure flaw
An API change indroduced in 2008 alrealy (commit 61d327646f01fe) may cause unexpected and unwanted data dumps of a complete set of web query data and environment to the public. Developers of web apps written before the change are probably unaware of the problem since the general behaviour does change only in the case of a software error. For those who haven't looked at it in detail, the bug here is that CGI::Application will dump the script environment to the web client if the Perl application that uses it doesn't define a start runmode. However, not defining a start runmode is an erroneous use of the library and a bug in the calling application, and all the examples in the documentation do set a start runmode. I agree that the behavior when a runmode is not defined is surprising and a bug, but I think treating it as a full-blown security vulnerability in CGI::Application (as opposed to the calling application) may be overkill. That said, it looks like Fedora did treat it as a security update. The patch in the Github pull request does look correct (although it's an irritating patch from a security perspective since it includes apparently arbitrary code reformatting). -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
