Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Dominic Hargreaves dom at earth.li
Tue Jan 12 13:38:51 UTC 2016


Control: tags -1 - security
Control: found -1 4.46-1

On Tue, Jan 12, 2016 at 12:54:19PM +0000, Chris Boot wrote:
> Control: tag -1 security
> 
> On 12/01/16 12:28, Chris Boot wrote:
> [snip]
> > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346
> > 
> > Dear Maintainer,
> > 
> > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
> > installation of TWiki (http://twiki.org/) no longer functions. This
> > happens due to CGI::Session::Driver::file complaining about taint.
> 
> I'm bringing this bug to the attention of the security team, as it has
> only come to light since the Jessie DSA of Perl (DSA-3441-1), so it's a
> stable security regression.

Indeed, this is unfortunate - confirmed that this is trivially
reproducible. It is misleading to call this a security bug in itself,
so I am removing that tag.

I am happy to prepare an updated package with the patch in from the RT
ticket, though it would be good to get some second opinions on the
correctness of that patch. I guess that should be released as a DSA
update, given (as you point out) it's a regression indirectly introduced
by the DSA. Another alternative would be the jessie point release, which
for which the freeze date is later this week.

I'm puzzled about why this wasn't spotted as an issue for wheezy, which
doesn't have the perl taint bug, and does suffer from this problem: we
should fix that there too, probably in the next point release.

Dominic.



More information about the pkg-perl-maintainers mailing list