CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

Debian Bug report logs - #606370
CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libcgi-pm-perl
Version: 3.49-1
Severity: grave
Tags: security

Three security issues have been reported in libcgi-pm-perl:

http://security-tracker.debian.org/tracker/CVE-2010-2761 
http://security-tracker.debian.org/tracker/CVE-2010-4410
http://security-tracker.debian.org/tracker/CVE-2010-4411

The first two issues are fixed in 3.50 (already in sid), but
the second is still pending a final fix (see the referenced
link). Please get in touch with the release team to check,
whether migrating 3.50 plus the fix for CVE-2010-4411 or
uploading a tpu fix with 3.49 plus the security fixes is the
best way to resolve this.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

---

Message #10 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

clone 606370 -1 
reassign -1 libcgi-simple-perl
thanks

On Wed, 08 Dec 2010 19:47:18 +0100, Moritz Muehlenhoff wrote:

> Three security issues have been reported in libcgi-pm-perl:
> 
> http://security-tracker.debian.org/tracker/CVE-2010-2761 
> http://security-tracker.debian.org/tracker/CVE-2010-4410
> http://security-tracker.debian.org/tracker/CVE-2010-4411
> 
> The first two issues are fixed in 3.50 (already in sid), but
> the second is still pending a final fix (see the referenced
> link). 

http://security-tracker.debian.org/tracker/CVE-2010-4410 says:
"CRLF injection vulnerability in the header function in (1) CGI.pm
before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier ..."

CGI::Simple is in libcgi-simple-perl, cloning/reassigning.


Hm, and I'm a bit confused by "first two issues are fixed" and "the
second ...". Let's look if I got it right:

CVE-2010-2761:
"The multipart_init function in (1) CGI.pm before 3.50 and (2)
Simple.pm in CGI::Simple 1.112 and earlier"
-> libcgi-simple-perl
-> libcgi-pm-perl in squeeze and older

CVE-2010-4410:
"CRLF injection vulnerability in the header function in (1) CGI.pm
before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier"
-> libcgi-simple-perl
-> libcgi-pm-perl in squeeze and older

CVE-2010-4411:
"Unspecified vulnerability in CGI.pm 3.50 and earlier"
-> libcgi-pm-perl


Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Donovan: Jennifer Juniper

[signature.asc (application/pgp-signature, inline)]

---

Message #13 received at 606370@bugs.debian.org (full text, mbox, reply):

clone 606370 -1
found 606370 3.38-2lenny1
reassign -1 libcgi-simple-perl 1.105-1
thanks

Moritz Muehlenhoff <jmm@debian.org> writes:
> Three security issues have been reported in libcgi-pm-perl:
>
> http://security-tracker.debian.org/tracker/CVE-2010-2761 
> http://security-tracker.debian.org/tracker/CVE-2010-4410
> http://security-tracker.debian.org/tracker/CVE-2010-4411
>
> The first two issues are fixed in 3.50 (already in sid), but
> the second is still pending a final fix (see the referenced
> link). Please get in touch with the release team to check,
> whether migrating 3.50 plus the fix for CVE-2010-4411 or
> uploading a tpu fix with 3.49 plus the security fixes is the
> best way to resolve this.

In addition to Lenny's version of libcgi-pm-perl, the same issues also
affect libcgi-simple-perl, including the version currently in unstable
(1.111-1).

I'm not quite sure yet what CVE-2010-4411 refers to.  It seems that the
fix for CVE-2010-2761 was not complete, but it is not a different, new
issue?

We should probably wait until the issue is really fixed:

| >     2. Further improvements to handling of newlines embedded in header
| > values.
[...]
| Yes, it is. However, later testing found that the issue wasn't
| completely fixed in 3.50. A new patch has been developed, and is
| currently pending review and acceptance by the primary CGI.pm author,
| Lincoln Stein. (Now CC'ed).
  -- <http://openwall.com/lists/oss-security/2010/12/01/3>

Regards,
Ansgar

---

Message #22 received at 606370@bugs.debian.org (full text, mbox, reply):

On Wed, Dec 08, 2010 at 08:23:56PM +0100, gregor herrmann wrote:
> clone 606370 -1 
> reassign -1 libcgi-simple-perl
> thanks
> 
> On Wed, 08 Dec 2010 19:47:18 +0100, Moritz Muehlenhoff wrote:
> 
> > Three security issues have been reported in libcgi-pm-perl:
> > 
> > http://security-tracker.debian.org/tracker/CVE-2010-2761 
> > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > http://security-tracker.debian.org/tracker/CVE-2010-4411
> > 
> > The first two issues are fixed in 3.50 (already in sid), but
> > the second is still pending a final fix (see the referenced
> > link). 
> 
> http://security-tracker.debian.org/tracker/CVE-2010-4410 says:
> "CRLF injection vulnerability in the header function in (1) CGI.pm
> before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier ..."
> 
> CGI::Simple is in libcgi-simple-perl, cloning/reassigning.
> 
> 
> Hm, and I'm a bit confused by "first two issues are fixed" and "the
> second ...". Let's look if I got it right:
> 
> CVE-2010-2761:
> "The multipart_init function in (1) CGI.pm before 3.50 and (2)
> Simple.pm in CGI::Simple 1.112 and earlier"
> -> libcgi-simple-perl
> -> libcgi-pm-perl in squeeze and older
> 
> CVE-2010-4410:
> "CRLF injection vulnerability in the header function in (1) CGI.pm
> before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier"
> -> libcgi-simple-perl
> -> libcgi-pm-perl in squeeze and older
> 
> CVE-2010-4411:
> "Unspecified vulnerability in CGI.pm 3.50 and earlier"
> -> libcgi-pm-perl

Ack. Sorry for the confusion, I meant "third" instead of "second".

Cheers,
        Moritz

---

Message #27 received at 606370@bugs.debian.org (full text, mbox, reply):

On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
> clone 606370 -1
> found 606370 3.38-2lenny1
> reassign -1 libcgi-simple-perl 1.105-1
> thanks
> 
> Moritz Muehlenhoff <jmm@debian.org> writes:
> > Three security issues have been reported in libcgi-pm-perl:
> >
> > http://security-tracker.debian.org/tracker/CVE-2010-2761 
> > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > http://security-tracker.debian.org/tracker/CVE-2010-4411
> >
> > The first two issues are fixed in 3.50 (already in sid), but
> > the second is still pending a final fix (see the referenced
> > link). Please get in touch with the release team to check,
> > whether migrating 3.50 plus the fix for CVE-2010-4411 or
> > uploading a tpu fix with 3.49 plus the security fixes is the
> > best way to resolve this.
> 
> In addition to Lenny's version of libcgi-pm-perl, the same issues also
> affect libcgi-simple-perl, including the version currently in unstable
> (1.111-1).
> 
> I'm not quite sure yet what CVE-2010-4411 refers to.  It seems that the
> fix for CVE-2010-2761 was not complete, but it is not a different, new
> issue?
> 
> We should probably wait until the issue is really fixed:
> 
> | >     2. Further improvements to handling of newlines embedded in header
> | > values.
> [...]
> | Yes, it is. However, later testing found that the issue wasn't
> | completely fixed in 3.50. A new patch has been developed, and is
> | currently pending review and acceptance by the primary CGI.pm author,
> | Lincoln Stein. (Now CC'ed).
>   -- <http://openwall.com/lists/oss-security/2010/12/01/3>

[ I'm adding Lincoln to CC. ]

Lincoln,
were're trying to fix CVE-2010-4411 for the upcoming Debian release.

Is a final patch already available?

Cheers,
        Moritz

---

Message #32 received at 606370@bugs.debian.org (full text, mbox, reply):

On Wed, Dec 08, 2010 at 07:47:18PM +0100, Moritz Muehlenhoff wrote:
> Package: libcgi-pm-perl
> Version: 3.49-1
> Severity: grave
> Tags: security
> 
> Three security issues have been reported in libcgi-pm-perl:
> 
> http://security-tracker.debian.org/tracker/CVE-2010-2761 
> http://security-tracker.debian.org/tracker/CVE-2010-4410
> http://security-tracker.debian.org/tracker/CVE-2010-4411
> 
> The first two issues are fixed in 3.50 (already in sid), but
> the second is still pending a final fix (see the referenced
> link). Please get in touch with the release team to check,
> whether migrating 3.50 plus the fix for CVE-2010-4411 or
> uploading a tpu fix with 3.49 plus the security fixes is the
> best way to resolve this.

Please note that CGI.pm is also in perl-modules. I'm unfortunately busy
ATM, and I'd very much appreciate a clone of this bug with proposed
patches. NMUs are also fine by me.

% corelist -a CGI | fgrep v5.10
  v5.10.0    3.29      
  v5.10.1    3.43      

-- 
Niko Tyni   ntyni@debian.org

---

Message #39 received at 606370@bugs.debian.org (full text, mbox, reply):

On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote:
> On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
> > Moritz Muehlenhoff <jmm@debian.org> writes:
> > > Three security issues have been reported in libcgi-pm-perl:
> > >
> > > http://security-tracker.debian.org/tracker/CVE-2010-2761 
> > > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > > http://security-tracker.debian.org/tracker/CVE-2010-4411

> > I'm not quite sure yet what CVE-2010-4411 refers to.  It seems that the
> > fix for CVE-2010-2761 was not complete, but it is not a different, new
> > issue?
> > 
> > We should probably wait until the issue is really fixed:
> > 
> > | >     2. Further improvements to handling of newlines embedded in header
> > | > values.
> > [...]
> > | Yes, it is. However, later testing found that the issue wasn't
> > | completely fixed in 3.50. A new patch has been developed, and is
> > | currently pending review and acceptance by the primary CGI.pm author,
> > | Lincoln Stein. (Now CC'ed).
> >   -- <http://openwall.com/lists/oss-security/2010/12/01/3>
> 
> [ I'm adding Lincoln to CC. ]
> 
> Lincoln,
> were're trying to fix CVE-2010-4411 for the upcoming Debian release.
> 
> Is a final patch already available?

I see Mark Stosberg (CC'd as well) recently pushed this into the
CGI.pm github repository:

 https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d

Mark, is this double newline injection fix the new patch referred above? 

Thanks for your work,
-- 
Niko Tyni   ntyni@debian.org

---

Message #44 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Dec 27, 2010 at 03:33:21PM +0200, Niko Tyni wrote:
> On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote:
> > On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
> > > Moritz Muehlenhoff <jmm@debian.org> writes:
> > > > Three security issues have been reported in libcgi-pm-perl:
> > > >
> > > > http://security-tracker.debian.org/tracker/CVE-2010-2761 
> > > > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > > > http://security-tracker.debian.org/tracker/CVE-2010-4411
> 
> > > I'm not quite sure yet what CVE-2010-4411 refers to.  It seems that the
> > > fix for CVE-2010-2761 was not complete, but it is not a different, new
> > > issue?

>  https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d
> 
> Mark, is this double newline injection fix the new patch referred above? 

Assuming this is the case, I'm attaching preliminary patches for

3.29 (perl-modules   / lenny)
3.38 (libcgi-pm-perl / lenny)
3.43 (perl-modules   / squeeze + sid)
3.49 (libcgi-pm-perl / squeeze)
3.50 (libcgi-pm-perl / sid)

They include relevant test suite additions from the github repository
and a small test fix I sent to [rt.cpan.org #64261].

Eyeballs and testing would be welcome. In particular, I'm not entirely
sure about the //s modifier change in header() around CGI.pm:1500 in
the pre-3.49 patches. The change was introduced upstream with 3.49 along
with the header fixes but it's not covered by the test suite.

I haven't looked at libcgi-simple-perl at all.
-- 
Niko Tyni   ntyni@debian.org

[perl-modules.lenny.patch (text/x-diff, attachment)]

[libcgi-pm-perl-3.38.patch (text/x-diff, attachment)]

[perl-modules.squeeze.patch (text/x-diff, attachment)]

[libcgi-pm-perl-3.49.patch (text/x-diff, attachment)]

[libcgi-pm-perl-3.50.patch (text/x-diff, attachment)]

---

Message #49 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tag 606370 + patch
tag 606995 + patch
thanks

On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote:

> > > > > http://security-tracker.debian.org/tracker/CVE-2010-2761 
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-4411
> > > > I'm not quite sure yet what CVE-2010-4411 refers to.  It seems that the
> > > > fix for CVE-2010-2761 was not complete, but it is not a different, new
> > > > issue?
> >  https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d

Thanks for digging this out; I was looking a few times and never
understood CVE-2010-4411 ...

> Assuming this is the case, I'm attaching preliminary patches for

Thanks!
 
> I haven't looked at libcgi-simple-perl at all.

I think Damyan has started to look at it.


Cheers,
gregor
 
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Beatles

[signature.asc (application/pgp-signature, inline)]

---

Message #56 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

user release.debian.org@packages.debian.org
usertag 606370 squeeze-can-defer
usertag 606379 squeeze-can-defer
usertag 606995 squeeze-can-defer
kthxbye

These bugs can be fixed through security.d.o if they're not ready by
squeeze release time, tagging accordingly.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

---

Message #63 received at 606370@bugs.debian.org (full text, mbox, reply):

On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote:
> tag 606370 + patch
> tag 606995 + patch
> thanks
> 
> On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote:
> 
> > > > > > http://security-tracker.debian.org/tracker/CVE-2010-2761 
> > > > > > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > > > > > http://security-tracker.debian.org/tracker/CVE-2010-4411
> > > > > I'm not quite sure yet what CVE-2010-4411 refers to.  It seems that the
> > > > > fix for CVE-2010-2761 was not complete, but it is not a different, new
> > > > > issue?
> > >  https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d
> 
> Thanks for digging this out; I was looking a few times and never
> understood CVE-2010-4411 ...
> 
> > Assuming this is the case, I'm attaching preliminary patches for
> 
> Thanks!
>  
> > I haven't looked at libcgi-simple-perl at all.
> 
> I think Damyan has started to look at it.

Could you upload the fixes targeted at squeeze to tpu?

Cheers,
        Moritz

---

Message #68 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote:

> On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote:
> > On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote:
> > > Assuming this is the case, I'm attaching preliminary patches for
> > Thanks!
> Could you upload the fixes targeted at squeeze to tpu?

I'm happy to take care of libcgi-pm-perl.

If the release team agrees (cc'ed) that could be
- 3.38-2lenny2 / stable-proposed-updates
- 3.49-1squeeze1 / testing-proposed-updates
- 3.50-2 / unstable

(Alternative: just upload 3.50-2 to unstable and let it migrate to
testing.)


I'd rather leave perl-modules to Niko.


Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by
Damyan in our repo (plus tons of unrelated changes that have
accumulated since the last upload :/) but (b) also a new upstream
release:

http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes

1.113   2010-12-27
      - (thanks to Yamada Masahiro) randomise multipart boundary string
        (security).
...
        Security: Fix handling of embedded malicious newlines in header
          values This is a direct port of the same security fix that

        Security: use a random MIME boundary by default in
          multipart_init(). This is a direct port of the same issue
          which was addressed in CGI.pm, preventing some kinds of
          potential header injection attacks.

        Port from CGI.pm: Fix multi-line header parsing.
          This fix is covered by the tests in t/header.t added in
          the previous patch. If you run those tests without this
          patch, you'll see how the headers would be malformed
          without this fix.

        Port CRLF injection prevention from CGI.pm

I'm not sure what the best way to proceed is here; mabye Damyan has
more ideas since he's already worked on that package?


Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Beatles: Helter Skelter

[signature.asc (application/pgp-signature, inline)]

---

Message #73 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, Jan  4, 2011 at 19:45:56 +0100, gregor herrmann wrote:

> On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote:
> 
> > On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote:
> > > On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote:
> > > > Assuming this is the case, I'm attaching preliminary patches for
> > > Thanks!
> > Could you upload the fixes targeted at squeeze to tpu?
> 
> I'm happy to take care of libcgi-pm-perl.
> 
> If the release team agrees (cc'ed) that could be

debian-release@lists works better than debian-release@bugs.  Fixed.

> - 3.38-2lenny2 / stable-proposed-updates
> - 3.49-1squeeze1 / testing-proposed-updates
> - 3.50-2 / unstable
> 
> (Alternative: just upload 3.50-2 to unstable and let it migrate to
> testing.)
> 
> 
> I'd rather leave perl-modules to Niko.
> 
> 
> Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by
> Damyan in our repo (plus tons of unrelated changes that have
> accumulated since the last upload :/) but (b) also a new upstream
> release:
> 
> http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes
> 
> 1.113   2010-12-27
>       - (thanks to Yamada Masahiro) randomise multipart boundary string
>         (security).
> ...
>         Security: Fix handling of embedded malicious newlines in header
>           values This is a direct port of the same security fix that
> 
>         Security: use a random MIME boundary by default in
>           multipart_init(). This is a direct port of the same issue
>           which was addressed in CGI.pm, preventing some kinds of
>           potential header injection attacks.
> 
>         Port from CGI.pm: Fix multi-line header parsing.
>           This fix is covered by the tests in t/header.t added in
>           the previous patch. If you run those tests without this
>           patch, you'll see how the headers would be malformed
>           without this fix.
> 
>         Port CRLF injection prevention from CGI.pm
> 
> I'm not sure what the best way to proceed is here; mabye Damyan has
> more ideas since he's already worked on that package?
> 
> 
Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

---

Message #78 received at 606370@bugs.debian.org (full text, mbox, reply):

On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
> On Mon, Dec 27, 2010 at 03:33:21PM +0200, Niko Tyni wrote:
> > On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote:
> > > On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
> > > > Moritz Muehlenhoff <jmm@debian.org> writes:
> > > > > Three security issues have been reported in libcgi-pm-perl:
> > > > >
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-2761 
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-4411
> > 
> > > > I'm not quite sure yet what CVE-2010-4411 refers to.  It seems that the
> > > > fix for CVE-2010-2761 was not complete, but it is not a different, new
> > > > issue?
> 
> >  https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d
> > 
> > Mark, is this double newline injection fix the new patch referred above? 

I think this is confirmed by
 http://www.openwall.com/lists/oss-security/2011/01/04/9 

which also contains a link to the corresponding CGI-Simple fix at
 http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da

There's going to be a new upstream release of CGI.pm soon.

I hope I can make the time for perl 5.10.1-17 to unstable with just the
CGI.pm fixes and urgency=high in the next few days.  (If somebody else
wants to do it, I'm ecstatic.)
-- 
Niko Tyni   ntyni@debian.orgg

---

Message #81 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

-=| gregor herrmann, Tue, Jan 04, 2011 at 07:45:56PM +0100 |=-
> Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by
> Damyan in our repo (plus tons of unrelated changes that have
> accumulated since the last upload :/) but (b) also a new upstream
> release:
> 
> http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes
> 
> 1.113   2010-12-27
>       - (thanks to Yamada Masahiro) randomise multipart boundary string
>         (security).
> ...
>         Security: Fix handling of embedded malicious newlines in header
>           values This is a direct port of the same security fix that
> 
>         Security: use a random MIME boundary by default in
>           multipart_init(). This is a direct port of the same issue
>           which was addressed in CGI.pm, preventing some kinds of
>           potential header injection attacks.
> 
>         Port from CGI.pm: Fix multi-line header parsing.
>           This fix is covered by the tests in t/header.t added in
>           the previous patch. If you run those tests without this
>           patch, you'll see how the headers would be malformed
>           without this fix.
> 
>         Port CRLF injection prevention from CGI.pm
> 
> I'm not sure what the best way to proceed is here; mabye Damyan has
> more ideas since he's already worked on that package?

The upstream fix mirrors the fixes to CGI.pm, almost completely. The 
"newline in headers" check misses a later change in CGI.pm which still 
has to be applied as a patch.
(CGI::Simple is a classic example of why code duplication is bad).

Since the versions of libcgi-simple-perl in testing and unstable are 
the same, I propose the following:

 1. For getting fixes to squeeze:
   a. Branch from 1.111-1 (sid/squeeze), pick relevant changes from 
      the new upstream release (plus the additional haders check) and 
      upload 1.111-2 to unstable (high priority).
   b. alternatively, it is easier for us to upload the new upstream 
      release (plus the additional headers check patch), but that 
      would contain irrelevant changes that I think won't be wanted at 
      this release stage.
 2. For stable:
   a. Pick the relevant patches for lenny version and upload 1.105-2 
      to stable-proposed-updates

Unless advised otherwise, I'll proceed with 1.a. and 2.a. Note that 
lately I am better at drawing plans than in implementing them, so help 
is greatly appreciated.

[signature.asc (application/pgp-signature, inline)]

---

Message #86 received at 606370@bugs.debian.org (full text, mbox, reply):

On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:

> Assuming this is the case, I'm attaching preliminary patches for
> 
> 3.29 (perl-modules   / lenny)
> 3.38 (libcgi-pm-perl / lenny)
> 3.43 (perl-modules   / squeeze + sid)
> 3.49 (libcgi-pm-perl / squeeze)
> 3.50 (libcgi-pm-perl / sid)
> 
> They include relevant test suite additions from the github repository
> and a small test fix I sent to [rt.cpan.org #64261].

> Eyeballs and testing would be welcome. In particular, I'm not entirely
> sure about the //s modifier change in header() around CGI.pm:1500 in
> the pre-3.49 patches. The change was introduced upstream with 3.49 along
> with the header fixes but it's not covered by the test suite.

I believe this change has no effect: the earlier part of the code checks that
there are no newlines in the header string, so //s should make no difference.

I'll probably include it anyway.

However, my testing turned out another problem. This hunk from the pre-3.49
patches:

> +Note that if a header value contains a carriage return, a leading space will be
> +added to each new line that doesn't already have one as specified by RFC2616
> +section 4.2.  For example:
> +
> +    print header( -ingredients => "ham\neggs\nbacon" );
> +
> +will generate
> +
> +    Ingredients: ham
> +     eggs
> +     bacon
> +

is only true for 3.49; it broke with 3.50 and further with 3.51 due
to the same security changes we're working on. I've reported this as

 http://rt.cpan.org/Public/Bug/Display.html?id=64554 

and will probably just drop the above doc change from the perl-modules patch.

Furthermore, the perl-modules patches need an additional change to the
top-level MANIFEST so that the tests actually get run.

All this means I need another test session when I'm feeling less tired,
so no perl upload tonight.
-- 
Niko Tyni   ntyni@debian.org

---

Message #91 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Jan 06, 2011 at 10:37:11PM +0200, Niko Tyni wrote:
> On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
> 
> > Assuming this is the case, I'm attaching preliminary patches for
> > 
> > 3.29 (perl-modules   / lenny)
> > 3.38 (libcgi-pm-perl / lenny)
> > 3.43 (perl-modules   / squeeze + sid)
> > 3.49 (libcgi-pm-perl / squeeze)
> > 3.50 (libcgi-pm-perl / sid)

> All this means I need another test session when I'm feeling less tired,
> so no perl upload tonight.

Done, just uploaded perl/5.10.1-17 with the attached patch.

Changes: 
 perl (5.10.1-17) unstable; urgency=medium
 .
   * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
     fix CGI.pm MIME boundary and multiline header vulnerabilities.
     (Closes: #606995)

Release team: please consider

 unblock perl/5.10.1-17

The patch applies to lenny (5.10.0-19lenny2) as well with some fuzz after
s/rearrange_header/rearrange/.

Moritz: shall I upload a fixed lenny package to stable-security?
FWIW, I'd prefer to wait the five days for squeeze migration before a
DSA in case we get any regression reports.
-- 
Niko Tyni   ntyni@debian.org

[cgi-multiline-header.diff (text/x-diff, attachment)]

---

Message #96 received at 606370@bugs.debian.org (full text, mbox, reply):

On Fri, January 7, 2011 12:48, Niko Tyni wrote:
> Done, just uploaded perl/5.10.1-17 with the attached patch.
>
> Changes:
>  perl (5.10.1-17) unstable; urgency=medium
>  .
>    * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
>      fix CGI.pm MIME boundary and multiline header vulnerabilities.
>      (Closes: #606995)

Unblocked; thanks.

Regards,

Adam

---

Message #101 received at 606370@bugs.debian.org (full text, mbox, reply):

On Fri, Jan 07, 2011 at 02:48:28PM +0200, Niko Tyni wrote:
> On Thu, Jan 06, 2011 at 10:37:11PM +0200, Niko Tyni wrote:
> > On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
> > 
> > > Assuming this is the case, I'm attaching preliminary patches for
> > > 
> > > 3.29 (perl-modules   / lenny)
> > > 3.38 (libcgi-pm-perl / lenny)
> > > 3.43 (perl-modules   / squeeze + sid)
> > > 3.49 (libcgi-pm-perl / squeeze)
> > > 3.50 (libcgi-pm-perl / sid)
> 
> > All this means I need another test session when I'm feeling less tired,
> > so no perl upload tonight.
> 
> Done, just uploaded perl/5.10.1-17 with the attached patch.
> 
> Changes: 
>  perl (5.10.1-17) unstable; urgency=medium
>  .
>    * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
>      fix CGI.pm MIME boundary and multiline header vulnerabilities.
>      (Closes: #606995)
> 
> Release team: please consider
> 
>  unblock perl/5.10.1-17
> 
> The patch applies to lenny (5.10.0-19lenny2) as well with some fuzz after
> s/rearrange_header/rearrange/.
> 
> Moritz: shall I upload a fixed lenny package to stable-security?
> FWIW, I'd prefer to wait the five days for squeeze migration before a
> DSA in case we get any regression reports.

Let's wait a bit, it's not urgent.

Cheers,
        Moritz

---

Message #106 received at 606370@bugs.debian.org (full text, mbox, reply):

On Fri, Jan 07, 2011 at 02:48:28PM +0200, Niko Tyni wrote:

> Done, just uploaded perl/5.10.1-17 with the attached patch.

I've also updated libcgi-pm-perl in the pkg-perl SVN repository to 3.51,
which fixes this. I didn't upload it yet as my time window for this is
closing fast.

It would be great if somebody could pick up this and the tpu upload
of 3.49.
-- 
Niko Tyni   ntyni@debian.org

---

Message #111 received at 606370-close@bugs.debian.org (full text, mbox, reply):

Source: libcgi-pm-perl
Source-Version: 3.51-1

We believe that the bug you reported is fixed in the latest version of
libcgi-pm-perl, which is due to be installed in the Debian FTP archive:

libcgi-pm-perl_3.51-1.debian.tar.gz
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51-1.debian.tar.gz
libcgi-pm-perl_3.51-1.dsc
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51-1.dsc
libcgi-pm-perl_3.51-1_all.deb
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51-1_all.deb
libcgi-pm-perl_3.51.orig.tar.gz
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcgi-pm-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Jan 2011 22:10:07 +0100
Source: libcgi-pm-perl
Binary: libcgi-pm-perl
Architecture: source all
Version: 3.51-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libcgi-pm-perl - module for Common Gateway Interface applications
Closes: 367711 606370
Changes: 
 libcgi-pm-perl (3.51-1) unstable; urgency=low
 .
   [ Niko Tyni ]
   * New upstream release.
     + [SECURITY] CVE-2010-4411: fixes a double CR/LF injection vulnerability,
       the last missing bit for the CVE-2010-2761 + CVE-2010-4410 issues
       that were fixed in 3.50. (Closes: #606370)
     + fixes writeability checks of the temporary directory for file uploads,
       and documents supported ways to override the builtin directories.
       (Closes: #367711)
   * debian/patches/fix-pod-spelling.patch: removed, included upstream
 .
   [ gregor herrmann ]
   * debian/watch: add URL for the unoffical 3.51 release in order to make it
     uscan-able.
   * debian/copyright: update list for debian/* and update formatting.
   * Add patch spelling.patch to fix a spelling mistake in various files.
Checksums-Sha1: 
 f118ec97c19cbc8ba4f5931bc06ccc01dc30fa9b 2144 libcgi-pm-perl_3.51-1.dsc
 55533953d944b5b7f4eafd04b9cbf541752c41ad 242127 libcgi-pm-perl_3.51.orig.tar.gz
 332bc32c0d69f0a25eb25ab593372a5a7df48a8f 8476 libcgi-pm-perl_3.51-1.debian.tar.gz
 8652621e2e24545848edf21f5c6d19f0167eec58 232522 libcgi-pm-perl_3.51-1_all.deb
Checksums-Sha256: 
 5ff3cc9608625bab57833eeea04c1851a98fa422d953dedb092660c606b0743e 2144 libcgi-pm-perl_3.51-1.dsc
 2c6082e48c3eb231ae175b738957f373fa5e5aa0dbd6f1b014de2d3a0b9620ee 242127 libcgi-pm-perl_3.51.orig.tar.gz
 2cc237a94f31560fbd096bfbc47db919da6055d864c09bd063d8f2026e586fb3 8476 libcgi-pm-perl_3.51-1.debian.tar.gz
 7ec34ff34a82cde35b1f0979ad76f8c692580e14a46ac152c1306d3c08fe07aa 232522 libcgi-pm-perl_3.51-1_all.deb
Files: 
 5f9eaf742014d60d2d57d4ea0b641328 2144 perl optional libcgi-pm-perl_3.51-1.dsc
 53534654f745a1388bbda477022cf971 242127 perl optional libcgi-pm-perl_3.51.orig.tar.gz
 4544dfc48cec72e09d985c85675266c5 8476 perl optional libcgi-pm-perl_3.51-1.debian.tar.gz
 6b93f25eb088283ec67949090846627c 232522 perl optional libcgi-pm-perl_3.51-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNL2prAAoJELs6aAGGSaoGUFcP/0H2ODNAKlZaMHBkLZwSnuta
C9yJiVyWlbpdjzw2AA0XXViuTtnFpTTMC2LYVwYvXATRxZ+IICwm4H5omPA+io7d
adPDAWCRXV/MiZcxh6LviXLbyqIbOsn9VrAoSV/6jwLUi08Kxb2j/1bx7RfDxckn
frjuN1vF/vgMdMMNdZO15qKycG5emHvxmdoHvtvg5qp+ADMrGCSwWuGmZ4c0nvti
edSguTdm49zRkAKfCNc5S0+gxGvTWNSEQvPzVdTj1vCamGM1KhlL5SITOY2vzRrw
l2fO43chS/fsjY8zM9W8l/JmAlLO0FDkcwfJmdmTnXIUBg5RpiJz89NnyapwoY6V
rqIg9GcZDjUFuajkhMvZ2gsXbQ3c+K0+sRzt/7kwB9GRDtjIFPZ8m584HDHI5+B8
tLCrMtDFHhP7HRrAYFTMpZvxDgcB0iTGQiNOBKp2eH98NMWHLvZ7vz5L8eBkIkYk
wBPPxUP324P/swlev95Jw9xeX6muqjiRQMCUi9xCcASypihRwzzLHZcyCuPDTwgS
jt3m8DNUHoHwxpcWzmusyIER3uJbQlgFp1pKQu5uORaXN5eSM+c19XgAmA+6u+pa
gPf3kyWTYWO32FPxTJx3rapNej65w6E5No0JG4AIiN50ABuSjnPUIFUfTnrpBnO9
ecoHTvAnbeRAnjPcZs2A
=1NXo
-----END PGP SIGNATURE-----

---

Message #114 received at 606370@bugs.debian.org (full text, mbox, reply):

tag 606370 + pending
thanks

Some bugs are closed in revision 67369
by Gregor Herrmann (gregoa)

Commit message:

[SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
patch (closes: #606370).

---

Message #122 received at 606370@bugs.debian.org (full text, mbox, reply):

tag 606370 + pending
thanks

Some bugs are closed in revision 67372
by Gregor Herrmann (gregoa)

Commit message:

[SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the   
patch (closes: #606370).

---

Message #127 received at 606370-close@bugs.debian.org (full text, mbox, reply):

Source: libcgi-pm-perl
Source-Version: 3.49-1squeeze1

We believe that the bug you reported is fixed in the latest version of
libcgi-pm-perl, which is due to be installed in the Debian FTP archive:

libcgi-pm-perl_3.49-1squeeze1.diff.gz
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.49-1squeeze1.diff.gz
libcgi-pm-perl_3.49-1squeeze1.dsc
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.49-1squeeze1.dsc
libcgi-pm-perl_3.49-1squeeze1_all.deb
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.49-1squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcgi-pm-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Jan 2011 22:35:30 +0100
Source: libcgi-pm-perl
Binary: libcgi-pm-perl
Architecture: source all
Version: 3.49-1squeeze1
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libcgi-pm-perl - module for Common Gateway Interface applications
Closes: 606370
Changes: 
 libcgi-pm-perl (3.49-1squeeze1) testing-proposed-updates; urgency=high
 .
   * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
     CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
     patch (closes: #606370).
Checksums-Sha1: 
 b86b454a73b9533b8dc3a811abb750820f030ac1 2124 libcgi-pm-perl_3.49-1squeeze1.dsc
 e23ec179cf38ae31b8a7dadb9b7252d03ce6f31a 5311 libcgi-pm-perl_3.49-1squeeze1.diff.gz
 0e2b40bf1b165fe30e0befbbfb552bb86c086d40 224568 libcgi-pm-perl_3.49-1squeeze1_all.deb
Checksums-Sha256: 
 333e9ebf69756aa6dea4f75b6333e054130b77b2786887201dde300d04ad6f97 2124 libcgi-pm-perl_3.49-1squeeze1.dsc
 1a056fd63d13f8fd1963bc5d8c1aad87f82f032d344908b0d8b2537070e05dba 5311 libcgi-pm-perl_3.49-1squeeze1.diff.gz
 5dbfce56c2297a3fa08137c211d2bd79c1ad649a1f355980ee67f362f97f3923 224568 libcgi-pm-perl_3.49-1squeeze1_all.deb
Files: 
 dbb627e198a59ba47bd91d8d7ff05f60 2124 perl optional libcgi-pm-perl_3.49-1squeeze1.dsc
 547c35539b17be780c4d9f8577674040 5311 perl optional libcgi-pm-perl_3.49-1squeeze1.diff.gz
 b6480ec3bd9800de34dc5b07f58cd545 224568 perl optional libcgi-pm-perl_3.49-1squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNL3DdAAoJELs6aAGGSaoGzjUP/2JmW+QYsnnhNsd/d9Vsag+L
KAVw2LN/e1cJJk3Kgg8TpEPbIRCJ+9wfIQUnfgKj7wUCT/jymKt84VgItxVsAYYY
ROjoR5KrqPy5Iq7BFA99K0GRKRyE42Gfiqf9rCIyPUKez8+xgMY+Uhk8d2EO3S6O
sR1BDOBMI5amjTftdWl+vD9CkBAtrgjuJrTpRJ7MMHeZGQwbP9w3IS8e+5FbqkbD
tyjr4qwcvvxUpjSt91Grvq6Gya0xBHIY0SeTaP2e8nEYRSaz1x3NOhadt8W4Qe7u
2pm3yhiwF088mLVJdpW2gc77yAC7q29Ei495td8ntWEKuzwj1YfdoJGWyQ04x8v2
ZPji9Y5EVGZVfGD64jiYYdM4WMKAYvBSsmRkoQmiSQsbpnGv+YhktBHlvuLrRQ/Y
Fhkigt7IvCK7nM5KlaU3H+6V4gIEnliU4Hk378ia5urNv0CiIwLcxjeamrLjsOn7
k3GiUEV56IY3RF+ddDk796mC9j9jp8DUO04vmvkqzwBRrULxPsZYTihjKqpkyyMb
oS4Z+LiukicbCsyFeJ/GC51iSzgQH3JUpPPTM3OvrHa+6P57fa70dDKCLafKCMk1
cz9VBSU7utxu4McKpkMafaPZc0LSk+k/WvLvWKp5yERjKTxTx+VwVxYkQvbMxtXk
/rYprzph6ZdBS4p0HZIS
=oN0q
-----END PGP SIGNATURE-----

---

Message #135 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, 11 Jan 2011 22:16:23 +0200, Niko Tyni wrote:

> I've also updated libcgi-pm-perl in the pkg-perl SVN repository to 3.51,
> which fixes this. I didn't upload it yet as my time window for this is
> closing fast.

Thanks!
 
> It would be great if somebody could pick up this and the tpu upload
> of 3.49.

I've now uploaded
- 3.51-1
- 3.49-1squeeze1
- 3.38-2lenny2
to the respective suites.

I was a bit hesitant since I haven't seen a comment from the RT about
the uploads to lenny/squeeeze; but they can still decide now if they
accept the packages or not :)

Cheers,
gregor
 
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Steppenwolf: The Ostrich

[signature.asc (application/pgp-signature, inline)]

---

Message #140 received at 606370@bugs.debian.org (full text, mbox, reply):

On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote:
> I've now uploaded
> - 3.51-1
> - 3.49-1squeeze1
> - 3.38-2lenny2
> to the respective suites.
> 
> I was a bit hesitant since I haven't seen a comment from the RT about
> the uploads to lenny/squeeeze; but they can still decide now if they
> accept the packages or not :)

We were so keen for squeeze that Julien and I both added approve hints
at the same time. ;-)

I've flagged the lenny package to be accepted at the next dinstall;
thanks.

Regards,

Adam

---

Message #145 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, 13 Jan 2011 22:35:00 +0000, Adam D. Barratt wrote:

> > I was a bit hesitant since I haven't seen a comment from the RT about
> > the uploads to lenny/squeeeze; but they can still decide now if they
> > accept the packages or not :)
> We were so keen for squeeze that Julien and I both added approve hints
> at the same time. ;-)

Heh, that's great service :)
 
> I've flagged the lenny package to be accepted at the next dinstall;
> thanks.

Thanks to you!
 

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Joe Cocker: Just Like A Woman

[signature.asc (application/pgp-signature, inline)]

---

Message #150 received at 606370-close@bugs.debian.org (full text, mbox, reply):

Source: libcgi-pm-perl
Source-Version: 3.38-2lenny2

We believe that the bug you reported is fixed in the latest version of
libcgi-pm-perl, which is due to be installed in the Debian FTP archive:

libcgi-pm-perl_3.38-2lenny2.diff.gz
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.38-2lenny2.diff.gz
libcgi-pm-perl_3.38-2lenny2.dsc
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.38-2lenny2.dsc
libcgi-pm-perl_3.38-2lenny2_all.deb
  to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.38-2lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcgi-pm-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Jan 2011 22:49:36 +0100
Source: libcgi-pm-perl
Binary: libcgi-pm-perl
Architecture: source all
Version: 3.38-2lenny2
Distribution: stable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libcgi-pm-perl - Simple Common Gateway Interface Class
Closes: 606370
Changes: 
 libcgi-pm-perl (3.38-2lenny2) stable; urgency=low
 .
   * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
     CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
     patch (closes: #606370).
Checksums-Sha1: 
 9e493b2d93faf7df0e87fb3a8e4063a0bf54f3c2 2003 libcgi-pm-perl_3.38-2lenny2.dsc
 3c9d7c995b5674f9d4b22602bf1a69fb3273b7e3 6548 libcgi-pm-perl_3.38-2lenny2.diff.gz
 aa6e0bfb7b46915d42799768e48d467dcf5388ea 196116 libcgi-pm-perl_3.38-2lenny2_all.deb
Checksums-Sha256: 
 86da4f977329d33891ddd8f2061101c485261eab6fcf531ccab44319b062accf 2003 libcgi-pm-perl_3.38-2lenny2.dsc
 42618966e5037879ad089c1b883472e34379753aeca0cc49202c74d80c076f88 6548 libcgi-pm-perl_3.38-2lenny2.diff.gz
 8096e7239dc243ee5e45984b74b6b9b7cb6e8939bfa3095a77cadbdfc35b6d28 196116 libcgi-pm-perl_3.38-2lenny2_all.deb
Files: 
 779a7908bf6c27447ced84b79b922416 2003 perl optional libcgi-pm-perl_3.38-2lenny2.dsc
 6ffb2eedf0ade187743cda90b8e12eae 6548 perl optional libcgi-pm-perl_3.38-2lenny2.diff.gz
 52ed267dfc4cc56954ca4e84a604e14c 196116 perl optional libcgi-pm-perl_3.38-2lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNL3PXAAoJELs6aAGGSaoGwdsP/j23lQ9icHR8R9vmVW9hwmdH
XGG0YowA4bMRqaezXrBI5y5dUuMmuHp2bh4MrBxYwGle+lHnPrO+/wKiCUrCEVpk
C35bGsLkNKGDxmtOiMLqSCGiECkM/oDpdgmmn/PGb11IwIw+bPKotCKFnE0r4l3u
QW8SxCbzCIpZ7Kt76N2Nhj2UDIcGmmO47fY4voizKyUtDxJcyXoCOI+cT3ZfcrAC
f9Ob6wfI0/JEw7KX/yB5O+xlf1wuHLMnOTQZzDYksMche9Q5KjTjJ6Ql7fZI+5pr
g0WwS+TaoYxzdL0lYVXcoBqMuvKfhk01J5WP/T5L2cThIIXargsMi4Fnxt52QNZV
BajNFmdhk44i7T0KFZ/WM/21giD8jFQQhi4+yAcoMx7MeEazvGTm2xGjQwZUxFGf
23YOiypUAN3ervBwnCFKDqLjpk51vHvnQcV0lvy8EOJgH+dIHva548P9IvyMacs5
Wm23zzGctnn/Yaasn0yc0yPryfYkObLYZtpbRBHhTNZZ9QW91mmR4mtITocPiTFv
TOqrvPf3hfUHqxCsrYYQhsGzF5kxjjgiBzmCs3S3U3oDxrEAPwwIIbNiDQi1pdXV
x1cZ93+dx/icsv7YjEcq8yA8apaNKVVxSFrRz+CepRK6aZscggS4PFvF7eEV+M5B
1gl2K7QaN2BZQh45F7PZ
=VXGV
-----END PGP SIGNATURE-----

---

Message #155 received at 606370@bugs.debian.org (full text, mbox, reply):

On Thu, Jan 13, 2011 at 10:35:00PM +0000, Adam D. Barratt wrote:
> On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote:
> > I've now uploaded

> > - 3.38-2lenny2

> > I was a bit hesitant since I haven't seen a comment from the RT about
> > the uploads to lenny/squeeeze; but they can still decide now if they
> > accept the packages or not :)

> I've flagged the lenny package to be accepted at the next dinstall;
> thanks.

I thought stable would be fixed with a DSA, but as the next Lenny point
release will be out real soon (Jan 22nd, stable NEW freezes on the 17th),
I suppose that's just as good. Cc'ing the security team.

I'll try to get a perl lenny upload (#606995) in stable NEW by Monday.

That still leaves libcgi-simple-perl (#606379) unfixed. Is anybody looking at that?
-- 
Niko Tyni   ntyni@debian.org

---

Message #160 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Jan 13, 2011 at 10:35:00PM +0000, Adam D. Barratt wrote:
> On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote:
> > I've now uploaded

> > - 3.38-2lenny2

> I've flagged the lenny package to be accepted at the next dinstall;

While preparing the perl lenny upload I had a look at this. I see Gregor
used my proposed patch from 27 Dec [1]; however I later noticed at least
the doc addition in CGI.pm is wrong [2]. 

Upstream is going to change the documentation back rather than change
the behaviour [3], so I don't think we should be including this change.

While at it, I'm pretty sure the //s change in the previous hunk is a
no-op (because the earlier change makes sure there are no newlines in
@other) and I'm not including it with the perl uploads. Eyeballs welcome
of course.

So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in
the attachments - the first one is the debdiff against 3.38-2lenny2 in
proposed-updates, the second one is against 3.38-2lenny1 in stable.

Gregor, I hope you're OK with this?

I'm sorry I failed to communicate this better; the bug log is getting
rather long and I can certainly see the potential for things to get lost.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#44
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#86
[3] http://rt.cpan.org/Public/Bug/Display.html?id=64554

Cheers,
-- 
Niko Tyni   ntyni@debian.org

[debdiff.lenny2 (text/plain, attachment)]

[debdiff.lenny1 (text/plain, attachment)]

---

Message #165 received at 606370@bugs.debian.org (full text, mbox, reply):

On Fri, January 14, 2011 11:40, Niko Tyni wrote:
> While preparing the perl lenny upload I had a look at this. I see Gregor
> used my proposed patch from 27 Dec [1]; however I later noticed at least
> the doc addition in CGI.pm is wrong [2].
>
> Upstream is going to change the documentation back rather than change
> the behaviour [3], so I don't think we should be including this change.
>
> While at it, I'm pretty sure the //s change in the previous hunk is a
> no-op (because the earlier change makes sure there are no newlines in
> @other) and I'm not including it with the perl uploads. Eyeballs welcome
> of course.
>
> So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in
> the attachments - the first one is the debdiff against 3.38-2lenny2 in
> proposed-updates, the second one is against 3.38-2lenny1 in stable.

Yes, that would be okay; thanks.

Regards,

Adam

---

Message #170 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, 14 Jan 2011 13:40:15 +0200, Niko Tyni wrote:

> > > - 3.38-2lenny2
> > I've flagged the lenny package to be accepted at the next dinstall;
> While preparing the perl lenny upload I had a look at this. I see Gregor
> used my proposed patch from 27 Dec [1]; however I later noticed at least
> the doc addition in CGI.pm is wrong [2]. 

Oops ...
 
> Gregor, I hope you're OK with this?

Sure!
And sorry for causing extra work ...
 

Cheers,
gregor
 
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Schmetterlinge: Geschichte vom Arbeiter Willi K

[signature.asc (application/pgp-signature, inline)]

---

Message #175 received at 606370@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, 14 Jan 2011 13:08:37 -0000, Adam D. Barratt wrote:

> > So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in
> > the attachments - the first one is the debdiff against 3.38-2lenny2 in
> > proposed-updates, the second one is against 3.38-2lenny1 in stable.
> Yes, that would be okay; thanks.

I've uploaded 3.38-2lenny3 with this debdiff now.

Cheers,
gregor
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Jimi Hendrix: Hear My Train A Comin'

[signature.asc (application/pgp-signature, inline)]

---

Message #180 received at 606370@bugs.debian.org (full text, mbox, reply):

On Fri, 2011-01-14 at 23:29 +0100, gregor herrmann wrote:
> On Fri, 14 Jan 2011 13:08:37 -0000, Adam D. Barratt wrote:
> 
> > > So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in
> > > the attachments - the first one is the debdiff against 3.38-2lenny2 in
> > > proposed-updates, the second one is against 3.38-2lenny1 in stable.
> > Yes, that would be okay; thanks.
> 
> I've uploaded 3.38-2lenny3 with this debdiff now.

Accepted, pending dinstall; thanks.

Regards,

Adam

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:48:21 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.