Processed: Re: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)

2021-07-20 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 - moreinfo
Bug #991103 [release.debian.org] unblock: collectd/5.12.0-7 (pre-approval)
Removed tag(s) moreinfo.

-- 
991103: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991103
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)

2021-07-20 Thread Kentaro Hayashi 
Control: tags -1 - moreinfo

On Sat, 17 Jul 2021 20:28:05 +0200 Sebastian Ramacher  
wrote:
> Control: tags -1 moreinfo confirmed
> 
snip
> ACK, please go ahead and remove the moreinfo tag once the new version is
> available in unstable.

Done.

Processed: Re: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)

2021-07-17 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 moreinfo confirmed
Bug #991103 [release.debian.org] unblock: collectd/5.12.0-7 (pre-approval)
Added tag(s) moreinfo and confirmed.

-- 
991103: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991103
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)

2021-07-17 Thread Sebastian Ramacher 
Control: tags -1 moreinfo confirmed

On 2021-07-14 22:48:15 +0900, Kentaro Hayashi wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: ken...@xdump.org
> 
> Please unblock package collectd
> 
> [ Reason ]
> 
> Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
> 
> If collection3 is set up(not enabled by default), the following error is sent
> to logs repeatedly.
> 
>   FastCGI sent in stderr: "CGI::param called in list context from
> /usr/share/doc/collectd-core/examples/collection3/lib/
> Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the
> warning in "Fetching the value or values of a  single named parameter" at
> /usr/share/perl5/CGI.pm line 412"
> 
> This is not actually assigned as CVE-, but it is unexpected situation.
> 
> [ Impact ]
> 
> It doesn't break collectd behavior at all.
> 
> It only fixes the issue about generation of tons of warning messages
> about inappropriate usage of param() via bundled web interface utility
> (collection3).
> 
> [ Tests ]
> 
> Not ready for automated test because it need to run collection3 as a CGI.
> So, I manually tested attached patch.
> 
> [ Risks ]
> 
> Low, because very limited reverse dependency and it is only affected when web
> interface is enabled.
> 
> % LANG=C apt rdepends collectd
> collectd
> Reverse Depends:
>   Replaces: collectd-utils (<< 4.6.1-1~)
>   Recommends: kcollectd
>   Suggests: drraw
>   Suggests: libcollectdclient1
>   Replaces: collectd-core (<< 4.8.2-1~)
>   Recommends: collectd-utils
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> 
> I've prepared debdiff patch.
> 
> unblock collectd/5.12.0-7

ACK, please go ahead and remove the moreinfo tag once the new version is
available in unstable.

Cheers

> diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog
> --- collectd-5.12.0/debian/changelog  2021-06-02 00:56:33.0 +0900
> +++ collectd-5.12.0/debian/changelog  2021-07-14 21:46:02.0 +0900
> @@ -1,3 +1,10 @@
> +collectd (5.12.0-7) unstable; urgency=medium
> +
> +  * Team upload.
> +  * Fix CGI::param error in collection3 (Closes: 982294)
> +
> + -- Kentaro Hayashi   Wed, 14 Jul 2021 21:46:02 +0900
> +
>  collectd (5.12.0-6) unstable; urgency=medium
>  
>* [b4e7861] collectd-dev: Add missing header files again.
> diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 
> collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch
> --- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch
> 1970-01-01 09:00:00.0 +0900
> +++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch
> 2021-07-14 21:46:02.0 +0900
> @@ -0,0 +1,58 @@
> +From: Kentaro Hayashi 
> +Subject: Fix CGI::param error in collection3
> +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
> +Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6
> +
> +When using collection3 as a CGI, the following error is sent to logs 
> repeatedly.
> +This MR fixes it:
> +
> +  FastCGI sent in stderr: "CGI::param called in list context from 
> /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm
>  line 529, this can lead to vulnerabilities. See the warning in "Fetching the 
> value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 
> 412"
> +
> +This is caused by inappropriate usage of param(),
> +it should be handled as a scalar or should be treated by multi_param() 
> explicitly.
> +
> +Closes: #982294
> +
> +ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
> +
> +--- a/contrib/collection3/lib/Collectd/Graph/Common.pm
>  b/contrib/collection3/lib/Collectd/Graph/Common.pm
> +@@ -526,7 +526,7 @@
> +   for (qw(hostname plugin plugin_instance type type_instance))
> +   {
> + my $part = $_;
> +-my @temp = param ($part);
> ++my @temp = multi_param ($part);
> + if (!@temp)
> + {
> +   next;
> +@@ -547,9 +547,9 @@
> + sub get_timespan_selection
> + {
> +   my $ret = 86400;
> +-  if (param ('timespan'))
> ++  if (scalar param ('timespan'))
> +   {
> +-my $temp = int (param ('timespan'));
> ++my $temp = int (scalar param ('timespan'));
> + if ($temp && ($temp > 0))
> + {
> +   $ret = $temp;
> +@@ -568,7 +568,7 @@
> + $ret{$_} = 0;
> +   }
> + 
> +-  for (param ('hostname'))
> ++  for (multi_param ('hostname'))
> +   {
> + my $host = _sanitize_generic_allow_minus ($_);
> + if (defined ($ret{$host}))
> +@@ -597,7 +597,7 @@
> + $ret{$_} = 0;
> +   }
> + 
> +-  for (param ('plugin'))
> ++  for (multi_param ('plugin'))
> +   {
> + if (defined ($ret{$_}))
> + {
> diff -Nru collectd-5.12.0/debian/patches/series 
> collectd-5.12.0/debian/patches/series
> ---

Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)

2021-07-14 Thread Kentaro Hayashi 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ken...@xdump.org

Please unblock package collectd

[ Reason ]

Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294

If collection3 is set up(not enabled by default), the following error is sent
to logs repeatedly.

  FastCGI sent in stderr: "CGI::param called in list context from
/usr/share/doc/collectd-core/examples/collection3/lib/
Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the
warning in "Fetching the value or values of a  single named parameter" at
/usr/share/perl5/CGI.pm line 412"

This is not actually assigned as CVE-, but it is unexpected situation.

[ Impact ]

It doesn't break collectd behavior at all.

It only fixes the issue about generation of tons of warning messages
about inappropriate usage of param() via bundled web interface utility
(collection3).

[ Tests ]

Not ready for automated test because it need to run collection3 as a CGI.
So, I manually tested attached patch.

[ Risks ]

Low, because very limited reverse dependency and it is only affected when web
interface is enabled.

% LANG=C apt rdepends collectd
collectd
Reverse Depends:
  Replaces: collectd-utils (<< 4.6.1-1~)
  Recommends: kcollectd
  Suggests: drraw
  Suggests: libcollectdclient1
  Replaces: collectd-core (<< 4.8.2-1~)
  Recommends: collectd-utils

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

I've prepared debdiff patch.

unblock collectd/5.12.0-7
diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog
--- collectd-5.12.0/debian/changelog	2021-06-02 00:56:33.0 +0900
+++ collectd-5.12.0/debian/changelog	2021-07-14 21:46:02.0 +0900
@@ -1,3 +1,10 @@
+collectd (5.12.0-7) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CGI::param error in collection3 (Closes: 982294)
+
+ -- Kentaro Hayashi   Wed, 14 Jul 2021 21:46:02 +0900
+
 collectd (5.12.0-6) unstable; urgency=medium
 
   * [b4e7861] collectd-dev: Add missing header files again.
diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch
--- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch	1970-01-01 09:00:00.0 +0900
+++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch	2021-07-14 21:46:02.0 +0900
@@ -0,0 +1,58 @@
+From: Kentaro Hayashi 
+Subject: Fix CGI::param error in collection3
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
+Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6
+
+When using collection3 as a CGI, the following error is sent to logs repeatedly.
+This MR fixes it:
+
+  FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412"
+
+This is caused by inappropriate usage of param(),
+it should be handled as a scalar or should be treated by multi_param() explicitly.
+
+Closes: #982294
+
+ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
+
+--- a/contrib/collection3/lib/Collectd/Graph/Common.pm
 b/contrib/collection3/lib/Collectd/Graph/Common.pm
+@@ -526,7 +526,7 @@
+   for (qw(hostname plugin plugin_instance type type_instance))
+   {
+ my $part = $_;
+-my @temp = param ($part);
++my @temp = multi_param ($part);
+ if (!@temp)
+ {
+   next;
+@@ -547,9 +547,9 @@
+ sub get_timespan_selection
+ {
+   my $ret = 86400;
+-  if (param ('timespan'))
++  if (scalar param ('timespan'))
+   {
+-my $temp = int (param ('timespan'));
++my $temp = int (scalar param ('timespan'));
+ if ($temp && ($temp > 0))
+ {
+   $ret = $temp;
+@@ -568,7 +568,7 @@
+ $ret{$_} = 0;
+   }
+ 
+-  for (param ('hostname'))
++  for (multi_param ('hostname'))
+   {
+ my $host = _sanitize_generic_allow_minus ($_);
+ if (defined ($ret{$host}))
+@@ -597,7 +597,7 @@
+ $ret{$_} = 0;
+   }
+ 
+-  for (param ('plugin'))
++  for (multi_param ('plugin'))
+   {
+ if (defined ($ret{$_}))
+ {
diff -Nru collectd-5.12.0/debian/patches/series collectd-5.12.0/debian/patches/series
--- collectd-5.12.0/debian/patches/series	2021-06-02 00:56:33.0 +0900
+++ collectd-5.12.0/debian/patches/series	2021-07-14 21:46:02.0 +0900
@@ -3,3 +3,4 @@
 myplugin_includes.patch
 nagios-debian-paths.patch
 fix-smart-test
+cgi-param-in-list-context.patch