Your message dated Fri, 15 Jan 2016 15:57:36 +0000
with message-id <[email protected]>
and subject line Bug#810799: fixed in libcgi-session-perl 4.48-3
has caused the Debian Bug report #810799,
regarding libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in
CGI::Session::Driver::file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
810799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810799
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libcgi-session-perl
Version: 4.48-1
Severity: important
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346
Dear Maintainer,
With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
installation of TWiki (http://twiki.org/) no longer functions. This
happens due to CGI::Session::Driver::file complaining about taint.
The bug was reported in the CPAN RT in 2012:
https://rt.cpan.org/Public/Bug/Display.html?id=80346
The test case included in the bug trivially reproduces the issue.
I independently came up with the following patch to temporarily hack
around the problem for our installation:
--- /usr/share/perl5/CGI/Session/Driver/file.pm.orig 2016-01-12
11:47:36.333006417 +0000
+++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-12 11:48:52.933062394
+0000
@@ -52,7 +52,9 @@
return $self->set_error( "_file(): Session ids cannot contain \\ or /
chars: $sid" );
}
- return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid ));
+ my $file = File::Spec->catfile($self->{Directory}, sprintf( $FileName,
$sid ));
+ my $file_ = $file =~ m/(.*)/i; # hack to remove taint
+ return $file_;
}
sub retrieve {
Regards,
Chris
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libcgi-session-perl depends on:
ii perl 5.20.2-3+deb8u2
Versions of packages libcgi-session-perl recommends:
ii libdbi-perl 1.631-3+b1
libcgi-session-perl suggests no packages.
-- no debconf information
-- debsums errors found:
debsums: changed file /usr/share/perl5/CGI/Session/Driver/file.pm (from
libcgi-session-perl package)
--
Chris Boot
Tiger Computing Ltd
IS27001:2013 Certified
Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk
Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
Wyastone Leys, Monmouth, NP25 3SR
--- End Message ---
--- Begin Message ---
Source: libcgi-session-perl
Source-Version: 4.48-3
We believe that the bug you reported is fixed in the latest version of
libcgi-session-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated libcgi-session-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Jan 2016 16:19:13 +0200
Source: libcgi-session-perl
Binary: libcgi-session-perl
Architecture: source
Version: 4.48-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Description:
libcgi-session-perl - persistent session data in CGI applications
Closes: 810799
Changes:
libcgi-session-perl (4.48-3) unstable; urgency=medium
.
* Team upload.
* Untaint raw data coming from session storage backends.
+ fixes a taint regression caused by CVE-2015-8607 fixes in perl
(Closes: #810799)
Checksums-Sha1:
261e080fff7d9d63c055030a90eb464f53caefc7 2336 libcgi-session-perl_4.48-3.dsc
09dfa04055d3eae865c731482bc86a53e24fba9f 5536
libcgi-session-perl_4.48-3.debian.tar.xz
Checksums-Sha256:
099c3321c0641badc9656b7302685528ce8e95ad139083ca7952ed9649ffc18b 2336
libcgi-session-perl_4.48-3.dsc
8226a4349062628301a8dac8f8fe95b2347cb8ad2570ff78fc26e3bff4c59e90 5536
libcgi-session-perl_4.48-3.debian.tar.xz
Files:
78032765469fc436cd3d54544eedb776 2336 perl optional
libcgi-session-perl_4.48-3.dsc
3d0eba45aa17e522ee385047f97c9c12 5536 perl optional
libcgi-session-perl_4.48-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWmQeuAAoJEC7A/7O3MBsfiMQP/0HHZ9b+C24TmsLIc8HhbpBZ
vdm3s0oElMkDcSNkxNI0V+XE7K0LYkO4vdHWVcuiddKpwRg/GAVaE+RxqNZgDFuk
QIk0fvtA81S3y0yVx42USUsWn9xgb6HTvbESyt4BJSaNfC6eA9Lth40j4t8oXOWu
kddy+IY200dVIGJPW2kw8cSnlOnXbqhub/UsXK4ENBAe7EsJtr/TjTgNBZZiPOi9
520MXmbf4b/3/xQCBGTQg2bXYM66IzC/V7inr8VR0xUujrK4ksWgtbl0sZVgjqjX
I+IIs+Ausa6/ZWfB/SOlupOIHr4nbNgUlkxh6hzzMD54yvqp7r/wOETvG/ikjMIw
39ajmkRSp5v9V5sQrPtpmEqtSQ2f3TfZ2d/5cMucgSqOgHP88eHnWBw5bnspOvPR
IMt1IqQLtxzTx+ZXk/oCIwYuABFwxDeXYFhwsg0SYVY+/jfAZvi2j8NrhzjeuFgt
Dd5jYz6/UAS6TbKvHrm4BHGrpoSMvged7bLC5jT/Yks9nWlmu2Hvvkc4eFEBaTOs
9kET+r68KNLkvsi/AbIa4THuV2ONPzk//gQz6BpPRaYlojxG2AIJcznFmVFq16no
jPMfPLAWJ5IZdlwI5Y9q7pcNwDGmQ9LBe8o1umhEh1XE+LcIWLhIWmfs5JZzvZ9z
+tJ7Q5OdFsBb8w2X5+eG
=76BU
-----END PGP SIGNATURE-----
--- End Message ---
