Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Salvatore Bonaccorso carnil at debian.org
Tue Jan 12 15:27:06 UTC 2016


Hi,

On Tue, Jan 12, 2016 at 01:38:51PM +0000, Dominic Hargreaves wrote:
> Control: tags -1 - security
> Control: found -1 4.46-1
> 
> On Tue, Jan 12, 2016 at 12:54:19PM +0000, Chris Boot wrote:
> > Control: tag -1 security
> > 
> > On 12/01/16 12:28, Chris Boot wrote:
> > [snip]
> > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346
> > > 
> > > Dear Maintainer,
> > > 
> > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
> > > installation of TWiki (http://twiki.org/) no longer functions. This
> > > happens due to CGI::Session::Driver::file complaining about taint.
> > 
> > I'm bringing this bug to the attention of the security team, as it has
> > only come to light since the Jessie DSA of Perl (DSA-3441-1), so it's a
> > stable security regression.
> 
> Indeed, this is unfortunate - confirmed that this is trivially
> reproducible. It is misleading to call this a security bug in itself,
> so I am removing that tag.
> 
> I am happy to prepare an updated package with the patch in from the RT
> ticket, though it would be good to get some second opinions on the
> correctness of that patch. I guess that should be released as a DSA
> update, given (as you point out) it's a regression indirectly introduced
> by the DSA. Another alternative would be the jessie point release, which
> for which the freeze date is later this week.
> 
> I'm puzzled about why this wasn't spotted as an issue for wheezy, which
> doesn't have the perl taint bug, and does suffer from this problem: we
> should fix that there too, probably in the next point release.

My gut feeling about this: Since the issue was already present before,
uncovered indirectly by the perl DSA, and currently affects twiki (not
packaged in Debian), I would tend to ask the SRM to have the fix for
libcgi-session-perl to be scheduled via the next Jessie point release
rather than a DSA.

Do you feel strong about having it the fix earlier via a DSA?

Thanks for bringing that to our attention!

Regards,
Salvatore



More information about the pkg-perl-maintainers mailing list