Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file
Niko Tyni
ntyni at debian.org
Thu Jan 14 22:02:00 UTC 2016
On Wed, Jan 13, 2016 at 12:37:37AM +0200, Niko Tyni wrote:
> On Tue, Jan 12, 2016 at 01:38:51PM +0000, Dominic Hargreaves wrote:
> > On Tue, Jan 12, 2016 at 12:54:19PM +0000, Chris Boot wrote:
> > > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346
>
> > > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
> > > > installation of TWiki (http://twiki.org/) no longer functions. This
> > > > happens due to CGI::Session::Driver::file complaining about taint.
[...]
> This suggests that the right place to untaint the data would be in the
> CGI::Session::Driver::*::retrieve() functions, or (more easily) centrally
> in CGI::Session::load(). Comments on the attached alternative patch?
Last call for comments: the deadline for the next jessie point release
is rather near, so I'll upload this to sid on Friday unless someone
beats me to it. A jessie-pu upload on Saturday will hopefully make it in
(see Adam's comment in #810887).
Patch re-attached for convenience.
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Untaint-raw-data-coming-from-session-storage-backend.patch
Type: text/x-diff
Size: 1171 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20160115/28ff29a6/attachment-0001.patch>
More information about the pkg-perl-maintainers
mailing list