Bug#739505: libcgi-application-perl: CVE-2013-7329: information disclosure flaw
Emmanuel Seyman
emmanuel at seyman.fr
Thu Apr 3 00:14:29 UTC 2014
Hi, I'm CGI-Application's maintainer in Fedora.
> I agree that the behavior when a runmode is not defined is surprising and
> a bug, but I think treating it as a full-blown security vulnerability in
> CGI::Application (as opposed to the calling application) may be overkill.
> That said, it looks like Fedora did treat it as a security update.
Yup. I decided to err on the side of caution. Like you, I tend to think
this is overkill but you never know what an application's ENV contains
and I can see CGI-Application's behaviour coming as a surprise.
> The patch in the Github pull request does look correct (although it's an
> irritating patch from a security perspective since it includes apparently
> arbitrary code reformatting).
Indeed. I took the liberty of taking only the parts of the patch that were
important and leaving the code reformatting pieces behind. As a result, the
patch Fedora ships is less intrusive than the one submitted upstream.
You can get a copy of the patch by running the command:
git clone git://pkgs.fedoraproject.org/perl-CGI-Application
Emmanuel
More information about the pkg-perl-maintainers
mailing list