Processed: Re: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
Processing control commands: > tags -1 - moreinfo Bug #991103 [release.debian.org] unblock: collectd/5.12.0-7 (pre-approval) Removed tag(s) moreinfo. -- 991103: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991103 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
Control: tags -1 - moreinfo On Sat, 17 Jul 2021 20:28:05 +0200 Sebastian Ramacher wrote: > Control: tags -1 moreinfo confirmed > snip > ACK, please go ahead and remove the moreinfo tag once the new version is > available in unstable. Done.
Processed: Re: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
Processing control commands: > tags -1 moreinfo confirmed Bug #991103 [release.debian.org] unblock: collectd/5.12.0-7 (pre-approval) Added tag(s) moreinfo and confirmed. -- 991103: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991103 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
Control: tags -1 moreinfo confirmed On 2021-07-14 22:48:15 +0900, Kentaro Hayashi wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: ken...@xdump.org > > Please unblock package collectd > > [ Reason ] > > Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 > > If collection3 is set up(not enabled by default), the following error is sent > to logs repeatedly. > > FastCGI sent in stderr: "CGI::param called in list context from > /usr/share/doc/collectd-core/examples/collection3/lib/ > Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the > warning in "Fetching the value or values of a single named parameter" at > /usr/share/perl5/CGI.pm line 412" > > This is not actually assigned as CVE-, but it is unexpected situation. > > [ Impact ] > > It doesn't break collectd behavior at all. > > It only fixes the issue about generation of tons of warning messages > about inappropriate usage of param() via bundled web interface utility > (collection3). > > [ Tests ] > > Not ready for automated test because it need to run collection3 as a CGI. > So, I manually tested attached patch. > > [ Risks ] > > Low, because very limited reverse dependency and it is only affected when web > interface is enabled. > > % LANG=C apt rdepends collectd > collectd > Reverse Depends: > Replaces: collectd-utils (<< 4.6.1-1~) > Recommends: kcollectd > Suggests: drraw > Suggests: libcollectdclient1 > Replaces: collectd-core (<< 4.8.2-1~) > Recommends: collectd-utils > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > > I've prepared debdiff patch. > > unblock collectd/5.12.0-7 ACK, please go ahead and remove the moreinfo tag once the new version is available in unstable. Cheers > diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog > --- collectd-5.12.0/debian/changelog 2021-06-02 00:56:33.0 +0900 > +++ collectd-5.12.0/debian/changelog 2021-07-14 21:46:02.0 +0900 > @@ -1,3 +1,10 @@ > +collectd (5.12.0-7) unstable; urgency=medium > + > + * Team upload. > + * Fix CGI::param error in collection3 (Closes: 982294) > + > + -- Kentaro Hayashi Wed, 14 Jul 2021 21:46:02 +0900 > + > collectd (5.12.0-6) unstable; urgency=medium > >* [b4e7861] collectd-dev: Add missing header files again. > diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch > collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch > --- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch > 1970-01-01 09:00:00.0 +0900 > +++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch > 2021-07-14 21:46:02.0 +0900 > @@ -0,0 +1,58 @@ > +From: Kentaro Hayashi > +Subject: Fix CGI::param error in collection3 > +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 > +Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6 > + > +When using collection3 as a CGI, the following error is sent to logs > repeatedly. > +This MR fixes it: > + > + FastCGI sent in stderr: "CGI::param called in list context from > /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm > line 529, this can lead to vulnerabilities. See the warning in "Fetching the > value or values of a single named parameter" at /usr/share/perl5/CGI.pm line > 412" > + > +This is caused by inappropriate usage of param(), > +it should be handled as a scalar or should be treated by multi_param() > explicitly. > + > +Closes: #982294 > + > +ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 > + > +--- a/contrib/collection3/lib/Collectd/Graph/Common.pm > b/contrib/collection3/lib/Collectd/Graph/Common.pm > +@@ -526,7 +526,7 @@ > + for (qw(hostname plugin plugin_instance type type_instance)) > + { > + my $part = $_; > +-my @temp = param ($part); > ++my @temp = multi_param ($part); > + if (!@temp) > + { > + next; > +@@ -547,9 +547,9 @@ > + sub get_timespan_selection > + { > + my $ret = 86400; > +- if (param ('timespan')) > ++ if (scalar param ('timespan')) > + { > +-my $temp = int (param ('timespan')); > ++my $temp = int (scalar param ('timespan')); > + if ($temp && ($temp > 0)) > + { > + $ret = $temp; > +@@ -568,7 +568,7 @@ > + $ret{$_} = 0; > + } > + > +- for (param ('hostname')) > ++ for (multi_param ('hostname')) > + { > + my $host = _sanitize_generic_allow_minus ($_); > + if (defined ($ret{$host})) > +@@ -597,7 +597,7 @@ > + $ret{$_} = 0; > + } > + > +- for (param ('plugin')) > ++ for (multi_param ('plugin')) > + { > + if (defined ($ret{$_})) > + { > diff -Nru collectd-5.12.0/debian/patches/series > collectd-5.12.0/debian/patches/series > ---
Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ken...@xdump.org Please unblock package collectd [ Reason ] Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 If collection3 is set up(not enabled by default), the following error is sent to logs repeatedly. FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/ Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412" This is not actually assigned as CVE-, but it is unexpected situation. [ Impact ] It doesn't break collectd behavior at all. It only fixes the issue about generation of tons of warning messages about inappropriate usage of param() via bundled web interface utility (collection3). [ Tests ] Not ready for automated test because it need to run collection3 as a CGI. So, I manually tested attached patch. [ Risks ] Low, because very limited reverse dependency and it is only affected when web interface is enabled. % LANG=C apt rdepends collectd collectd Reverse Depends: Replaces: collectd-utils (<< 4.6.1-1~) Recommends: kcollectd Suggests: drraw Suggests: libcollectdclient1 Replaces: collectd-core (<< 4.8.2-1~) Recommends: collectd-utils [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] I've prepared debdiff patch. unblock collectd/5.12.0-7 diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog --- collectd-5.12.0/debian/changelog 2021-06-02 00:56:33.0 +0900 +++ collectd-5.12.0/debian/changelog 2021-07-14 21:46:02.0 +0900 @@ -1,3 +1,10 @@ +collectd (5.12.0-7) unstable; urgency=medium + + * Team upload. + * Fix CGI::param error in collection3 (Closes: 982294) + + -- Kentaro Hayashi Wed, 14 Jul 2021 21:46:02 +0900 + collectd (5.12.0-6) unstable; urgency=medium * [b4e7861] collectd-dev: Add missing header files again. diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch --- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 1970-01-01 09:00:00.0 +0900 +++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 2021-07-14 21:46:02.0 +0900 @@ -0,0 +1,58 @@ +From: Kentaro Hayashi +Subject: Fix CGI::param error in collection3 +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 +Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6 + +When using collection3 as a CGI, the following error is sent to logs repeatedly. +This MR fixes it: + + FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412" + +This is caused by inappropriate usage of param(), +it should be handled as a scalar or should be treated by multi_param() explicitly. + +Closes: #982294 + +ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 + +--- a/contrib/collection3/lib/Collectd/Graph/Common.pm b/contrib/collection3/lib/Collectd/Graph/Common.pm +@@ -526,7 +526,7 @@ + for (qw(hostname plugin plugin_instance type type_instance)) + { + my $part = $_; +-my @temp = param ($part); ++my @temp = multi_param ($part); + if (!@temp) + { + next; +@@ -547,9 +547,9 @@ + sub get_timespan_selection + { + my $ret = 86400; +- if (param ('timespan')) ++ if (scalar param ('timespan')) + { +-my $temp = int (param ('timespan')); ++my $temp = int (scalar param ('timespan')); + if ($temp && ($temp > 0)) + { + $ret = $temp; +@@ -568,7 +568,7 @@ + $ret{$_} = 0; + } + +- for (param ('hostname')) ++ for (multi_param ('hostname')) + { + my $host = _sanitize_generic_allow_minus ($_); + if (defined ($ret{$host})) +@@ -597,7 +597,7 @@ + $ret{$_} = 0; + } + +- for (param ('plugin')) ++ for (multi_param ('plugin')) + { + if (defined ($ret{$_})) + { diff -Nru collectd-5.12.0/debian/patches/series collectd-5.12.0/debian/patches/series --- collectd-5.12.0/debian/patches/series 2021-06-02 00:56:33.0 +0900 +++ collectd-5.12.0/debian/patches/series 2021-07-14 21:46:02.0 +0900 @@ -3,3 +3,4 @@ myplugin_includes.patch nagios-debian-paths.patch fix-smart-test +cgi-param-in-list-context.patch