Bug#606379: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

gregor herrmann gregoa at debian.org
Tue Jan 4 18:45:56 UTC 2011


On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote:

> On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote:
> > On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote:
> > > Assuming this is the case, I'm attaching preliminary patches for
> > Thanks!
> Could you upload the fixes targeted at squeeze to tpu?

I'm happy to take care of libcgi-pm-perl.

If the release team agrees (cc'ed) that could be
- 3.38-2lenny2 / stable-proposed-updates
- 3.49-1squeeze1 / testing-proposed-updates
- 3.50-2 / unstable

(Alternative: just upload 3.50-2 to unstable and let it migrate to
testing.)


I'd rather leave perl-modules to Niko.


Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by
Damyan in our repo (plus tons of unrelated changes that have
accumulated since the last upload :/) but (b) also a new upstream
release:

http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes

1.113   2010-12-27
      - (thanks to Yamada Masahiro) randomise multipart boundary string
        (security).
...
        Security: Fix handling of embedded malicious newlines in header
          values This is a direct port of the same security fix that

        Security: use a random MIME boundary by default in
          multipart_init(). This is a direct port of the same issue
          which was addressed in CGI.pm, preventing some kinds of
          potential header injection attacks.

        Port from CGI.pm: Fix multi-line header parsing.
          This fix is covered by the tests in t/header.t added in
          the previous patch. If you run those tests without this
          patch, you'll see how the headers would be malformed
          without this fix.

        Port CRLF injection prevention from CGI.pm

I'm not sure what the best way to proceed is here; mabye Damyan has
more ideas since he's already worked on that package?


Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Beatles: Helter Skelter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20110104/d43985dc/attachment-0001.pgp>


More information about the pkg-perl-maintainers mailing list