Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Teodor Milkov tm at del.bg
Tue Jan 19 09:25:47 UTC 2016 

Hello,

I've just installed libcgi-session-perl 4.48-3, but still my twiki spew 
the following error:

/Insecure dependency in sysopen while running with -T switch at 
/usr/share/perl5/CGI/Session/Driver/file.pm line 107. /

I had to apply the following patch to mute it:

--- tmp/file.pm 2016-01-19 11:17:45.000000000 +0200
+++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-19 
11:11:46.000000000 +0200
@@ -52,6 +52,8 @@
          return $self->set_error( "_file(): Session ids cannot contain 
\\ or / chars: $sid" );
      }

+    ($sid) = $sid =~ /(.*)/;
+
      return File::Spec->catfile($self->{Directory}, sprintf( $FileName, 
$sid ));
  }


Best regards,
Teodor

On 15.01.2016 23:47, Niko Tyni wrote:
> Source: libcgi-session-perl
> Source-Version: 4.48-1+deb8u1
>
> We believe that the bug you reported is fixed in the latest version of
> libcgi-session-perl, which is due to be installed in the Debian FTP archive.
>
> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 810799 at bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Niko Tyni <ntyni at debian.org> (supplier of updated libcgi-session-perl package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster at ftp-master.debian.org)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Fri, 15 Jan 2016 17:37:38 +0200
> Source: libcgi-session-perl
> Binary: libcgi-session-perl
> Architecture: source all
> Version: 4.48-1+deb8u1
> Distribution: jessie
> Urgency: medium
> Maintainer: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
> Changed-By: Niko Tyni <ntyni at debian.org>
> Description:
>   libcgi-session-perl - persistent session data in CGI applications
> Closes: 810799
> Changes:
>   libcgi-session-perl (4.48-1+deb8u1) jessie; urgency=medium
>   .
>     * Team upload.
>     * Untaint raw data coming from session storage backends.
>       + fixes a taint regression caused by CVE-2015-8607 fixes in perl
>         (Closes: #810799)
> Checksums-Sha1:
>   dd9f83880c6e00799d0227ab97f0a53d9f4e3e56 2310 libcgi-session-perl_4.48-1+deb8u1.dsc
>   3f414fda9db1f6709c2138f88eabfb006ac07959 5212 libcgi-session-perl_4.48-1+deb8u1.debian.tar.xz
>   416fa42341118941ded98b8bac1724b99c06662e 118682 libcgi-session-perl_4.48-1+deb8u1_all.deb
> Checksums-Sha256:
>   89a831bc5ee51ed2efa734c0424e38b99a53fcccddebfa0c75cdbcc06de5e8db 2310 libcgi-session-perl_4.48-1+deb8u1.dsc
>   0fd7899549ba370648c84daf47a9c9c9db027503a2b649be206bb03540a06078 5212 libcgi-session-perl_4.48-1+deb8u1.debian.tar.xz
>   7620fec43861ee6aff8c4ce9614438738a3142dfe0a501f9d26ae0658f2aeb6d 118682 libcgi-session-perl_4.48-1+deb8u1_all.deb
> Files:
>   e8763ea03d0ee8263025f2fa212ef1f4 2310 perl optional libcgi-session-perl_4.48-1+deb8u1.dsc
>   fe371a64c0d220a676692b98af27e014 5212 perl optional libcgi-session-perl_4.48-1+deb8u1.debian.tar.xz
>   ed1fc424632fca5164cda489517ecb89 118682 perl optional libcgi-session-perl_4.48-1+deb8u1_all.deb
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJWmRQEAAoJEC7A/7O3MBsfS8sP/jNEBmo7hVWLjzXGHfCEGSzd
> TUKWO9+nVBxESs64j4gBVGuAAK56AL8U55CYWmHxUGhY6vFS7orp3vrxbNtwvAvU
> xJsRYtj/zZk/2erwHMXiHFFGAU3ItqzNfD4Rper8LwllsvWy8vdY1EXaMTYW0qA0
> hkxuVPeXYzFNq0FAfGbksxPTcXce0GmxKm/j7btVsgedPcGbSGlSPxhwbdM2QSiX
> IExK3y9au5UNKkTYXYgmh0Lyt5SSBoiMvn65ZZ4B6ZkMVywchmBjM8B+ysIqvedy
> zB908tt7SX/Yf9zbuaXzT+krT5yBgT7MJIYZHD7ELMTHsy+CEkqEZhSq3X4pAg/6
> EP1WAdLuiTsjG3D9+N6mYaTrCV2OSTLnxrzwGMDoMEQrIUBEie+QjaI9cPvfqK2k
> jPjzbORIWMJSyLFy3u5pEW8MhsvlFj4cpDfkMxYgTBCYf03SSCfelp38L5c3CrQw
> nj3jn7EYYi790khxso9NJlH9tKi8FVKUbSlUcXo6SzJYwnvrvT1AExW8187FQhAo
> U7+aqUyeYc70vLKcVoY+dP1dvQJMrlHAzRkKNVFlMyfC3nmeDhRqVgZdQrB68gPj
> H7y9zelIS6Bj7bBa8fnUb/4vcRzGdrNUWnq7E8WCS95drOfbpQtnm2pHUK8OesOH
> /9yYiMLdXphy2992JeIS
> =4mF8
> -----END PGP SIGNATURE-----
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20160119/6ce7d5cc/attachment-0001.html>

More information about the pkg-perl-maintainers mailing list