Bug#606370: Bug#606379, #606370: [libcgi-simple-perl] CVE-2010-2761 CVE-2010-4410

Damyan Ivanov dmn at debian.org
Wed Jan 5 05:57:01 UTC 2011 

-=| gregor herrmann, Tue, Jan 04, 2011 at 07:45:56PM +0100 |=-
> Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by
> Damyan in our repo (plus tons of unrelated changes that have
> accumulated since the last upload :/) but (b) also a new upstream
> release:
> 
> http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes
> 
> 1.113   2010-12-27
>       - (thanks to Yamada Masahiro) randomise multipart boundary string
>         (security).
> ...
>         Security: Fix handling of embedded malicious newlines in header
>           values This is a direct port of the same security fix that
> 
>         Security: use a random MIME boundary by default in
>           multipart_init(). This is a direct port of the same issue
>           which was addressed in CGI.pm, preventing some kinds of
>           potential header injection attacks.
> 
>         Port from CGI.pm: Fix multi-line header parsing.
>           This fix is covered by the tests in t/header.t added in
>           the previous patch. If you run those tests without this
>           patch, you'll see how the headers would be malformed
>           without this fix.
> 
>         Port CRLF injection prevention from CGI.pm
> 
> I'm not sure what the best way to proceed is here; mabye Damyan has
> more ideas since he's already worked on that package?

The upstream fix mirrors the fixes to CGI.pm, almost completely. The 
"newline in headers" check misses a later change in CGI.pm which still 
has to be applied as a patch.
(CGI::Simple is a classic example of why code duplication is bad).

Since the versions of libcgi-simple-perl in testing and unstable are 
the same, I propose the following:

 1. For getting fixes to squeeze:
   a. Branch from 1.111-1 (sid/squeeze), pick relevant changes from 
      the new upstream release (plus the additional haders check) and 
      upload 1.111-2 to unstable (high priority).
   b. alternatively, it is easier for us to upload the new upstream 
      release (plus the additional headers check patch), but that 
      would contain irrelevant changes that I think won't be wanted at 
      this release stage.
 2. For stable:
   a. Pick the relevant patches for lenny version and upload 1.105-2 
      to stable-proposed-updates

Unless advised otherwise, I'll proceed with 1.a. and 2.a. Note that 
lately I am better at drawing plans than in implementing them, so help 
is greatly appreciated.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20110105/0300eeec/attachment-0001.pgp>

More information about the pkg-perl-maintainers mailing list