Bug#739505: libcgi-application-perl: CVE-2013-7329: information disclosure flaw

[Russ Allbery]

> An API change indroduced in 2008 alrealy (commit 61d327646f01fe) may
> cause unexpected and unwanted data dumps of a complete set of web query
> data and environment to the public. Developers of web apps written
> before the change are probably unaware of the problem since the general
> behaviour does change only in the case of a software error.

For those who haven't looked at it in detail, the bug here is that
CGI::Application will dump the script environment to the web client if the
Perl application that uses it doesn't define a start runmode.  However,
not defining a start runmode is an erroneous use of the library and a bug
in the calling application, and all the examples in the documentation do
set a start runmode.

I agree that the behavior when a runmode is not defined is surprising and
a bug, but I think treating it as a full-blown security vulnerability in
CGI::Application (as opposed to the calling application) may be overkill.
That said, it looks like Fedora did treat it as a security update.

The patch in the Github pull request does look correct (although it's an
irritating patch from a security perspective since it includes apparently
arbitrary code reformatting).

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>