Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Thu, Jan 13, 2011 at 10:35:00PM +, Adam D. Barratt wrote: On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote: I've now uploaded - 3.38-2lenny2 I was a bit hesitant since I haven't seen a comment from the RT about the uploads to lenny/squeeeze; but they can still decide now if they accept the packages or not :) I've flagged the lenny package to be accepted at the next dinstall; thanks. I thought stable would be fixed with a DSA, but as the next Lenny point release will be out real soon (Jan 22nd, stable NEW freezes on the 17th), I suppose that's just as good. Cc'ing the security team. I'll try to get a perl lenny upload (#606995) in stable NEW by Monday. That still leaves libcgi-simple-perl (#606379) unfixed. Is anybody looking at that? -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote: On Mon, Dec 27, 2010 at 03:33:21PM +0200, Niko Tyni wrote: On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote: On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote: Moritz Muehlenhoff j...@debian.org writes: Three security issues have been reported in libcgi-pm-perl: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d Mark, is this double newline injection fix the new patch referred above? I think this is confirmed by http://www.openwall.com/lists/oss-security/2011/01/04/9 which also contains a link to the corresponding CGI-Simple fix at http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da There's going to be a new upstream release of CGI.pm soon. I hope I can make the time for perl 5.10.1-17 to unstable with just the CGI.pm fixes and urgency=high in the next few days. (If somebody else wants to do it, I'm ecstatic.) -- Niko Tyni nt...@debian.orgg -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote: On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote: On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: Assuming this is the case, I'm attaching preliminary patches for Thanks! Could you upload the fixes targeted at squeeze to tpu? I'm happy to take care of libcgi-pm-perl. If the release team agrees (cc'ed) that could be - 3.38-2lenny2 / stable-proposed-updates - 3.49-1squeeze1 / testing-proposed-updates - 3.50-2 / unstable (Alternative: just upload 3.50-2 to unstable and let it migrate to testing.) I'd rather leave perl-modules to Niko. Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by Damyan in our repo (plus tons of unrelated changes that have accumulated since the last upload :/) but (b) also a new upstream release: http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes 1.113 2010-12-27 - (thanks to Yamada Masahiro) randomise multipart boundary string (security). ... Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks. Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix. Port CRLF injection prevention from CGI.pm I'm not sure what the best way to proceed is here; mabye Damyan has more ideas since he's already worked on that package? Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Beatles: Helter Skelter signature.asc Description: Digital signature
Bug#606370: Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
On Tue, Jan 4, 2011 at 19:45:56 +0100, gregor herrmann wrote: On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote: On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote: On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: Assuming this is the case, I'm attaching preliminary patches for Thanks! Could you upload the fixes targeted at squeeze to tpu? I'm happy to take care of libcgi-pm-perl. If the release team agrees (cc'ed) that could be debian-rele...@lists works better than debian-rele...@bugs. Fixed. - 3.38-2lenny2 / stable-proposed-updates - 3.49-1squeeze1 / testing-proposed-updates - 3.50-2 / unstable (Alternative: just upload 3.50-2 to unstable and let it migrate to testing.) I'd rather leave perl-modules to Niko. Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by Damyan in our repo (plus tons of unrelated changes that have accumulated since the last upload :/) but (b) also a new upstream release: http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes 1.113 2010-12-27 - (thanks to Yamada Masahiro) randomise multipart boundary string (security). ... Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks. Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix. Port CRLF injection prevention from CGI.pm I'm not sure what the best way to proceed is here; mabye Damyan has more ideas since he's already worked on that package? Cheers, Julien signature.asc Description: Digital signature
Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
tag 606370 + patch tag 606995 + patch thanks On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: http://security-tracker.debian.org/tracker/CVE-2010-2761 http://security-tracker.debian.org/tracker/CVE-2010-4410 http://security-tracker.debian.org/tracker/CVE-2010-4411 I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the fix for CVE-2010-2761 was not complete, but it is not a different, new issue? https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d Thanks for digging this out; I was looking a few times and never understood CVE-2010-4411 ... Assuming this is the case, I'm attaching preliminary patches for Thanks! I haven't looked at libcgi-simple-perl at all. I think Damyan has started to look at it. Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Beatles signature.asc Description: Digital signature
