Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Chris Boot crb at tiger-computing.co.uk
Tue Jan 12 12:28:42 UTC 2016 

Package: libcgi-session-perl
Version: 4.48-1
Severity: important
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346

Dear Maintainer,

With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
installation of TWiki (http://twiki.org/) no longer functions. This
happens due to CGI::Session::Driver::file complaining about taint.

The bug was reported in the CPAN RT in 2012:
https://rt.cpan.org/Public/Bug/Display.html?id=80346

The test case included in the bug trivially reproduces the issue.

I independently came up with the following patch to temporarily hack
around the problem for our installation:

--- /usr/share/perl5/CGI/Session/Driver/file.pm.orig	2016-01-12 11:47:36.333006417 +0000
+++ /usr/share/perl5/CGI/Session/Driver/file.pm	2016-01-12 11:48:52.933062394 +0000
@@ -52,7 +52,9 @@
         return $self->set_error( "_file(): Session ids cannot contain \\ or / chars: $sid" );
     }
 
-    return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid ));
+    my $file = File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid ));
+    my $file_ = $file =~ m/(.*)/i; # hack to remove taint
+    return $file_;
 }
 
 sub retrieve {


Regards,
Chris

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libcgi-session-perl depends on:
ii  perl  5.20.2-3+deb8u2

Versions of packages libcgi-session-perl recommends:
ii  libdbi-perl  1.631-3+b1

libcgi-session-perl suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/share/perl5/CGI/Session/Driver/file.pm (from libcgi-session-perl package)

-- 
Chris Boot

Tiger Computing Ltd
IS27001:2013 Certified

Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk

Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
 Wyastone Leys, Monmouth, NP25 3SR

More information about the pkg-perl-maintainers mailing list