Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

Niko Tyni ntyni at debian.org
Thu Jan 6 20:37:11 UTC 2011

On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:

> Assuming this is the case, I'm attaching preliminary patches for
> 3.29 (perl-modules   / lenny)
> 3.38 (libcgi-pm-perl / lenny)
> 3.43 (perl-modules   / squeeze + sid)
> 3.49 (libcgi-pm-perl / squeeze)
> 3.50 (libcgi-pm-perl / sid)
> They include relevant test suite additions from the github repository
> and a small test fix I sent to [rt.cpan.org #64261].

> Eyeballs and testing would be welcome. In particular, I'm not entirely
> sure about the //s modifier change in header() around CGI.pm:1500 in
> the pre-3.49 patches. The change was introduced upstream with 3.49 along
> with the header fixes but it's not covered by the test suite.

I believe this change has no effect: the earlier part of the code checks that
there are no newlines in the header string, so //s should make no difference.

I'll probably include it anyway.

However, my testing turned out another problem. This hunk from the pre-3.49

> +Note that if a header value contains a carriage return, a leading space will be
> +added to each new line that doesn't already have one as specified by RFC2616
> +section 4.2.  For example:
> +
> +    print header( -ingredients => "ham\neggs\nbacon" );
> +
> +will generate
> +
> +    Ingredients: ham
> +     eggs
> +     bacon
> +

is only true for 3.49; it broke with 3.50 and further with 3.51 due
to the same security changes we're working on. I've reported this as


and will probably just drop the above doc change from the perl-modules patch.

Furthermore, the perl-modules patches need an additional change to the
top-level MANIFEST so that the tests actually get run.

All this means I need another test session when I'm feeling less tired,
so no perl upload tonight.
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list