Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1

To: Dominic Hargreaves <dom@earth.li>, 810887@bugs.debian.org
Subject: Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1
From: Niko Tyni <ntyni@debian.org>
Date: Fri, 15 Jan 2016 17:53:15 +0200
Message-id: <[🔎] 20160115155315.GA24502@estella.local.invalid>
Reply-to: Niko Tyni <ntyni@debian.org>, 810887@bugs.debian.org
In-reply-to: <[🔎] 20160113111654.GS6657@urchin.earth.li>
References: <[🔎] 20160113111654.GS6657@urchin.earth.li>

On Wed, Jan 13, 2016 at 11:16:55AM +0000, Dominic Hargreaves wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: debian-perl@lists.debian.org, team@security.debian.org
> 
> We're working on a fix for #810799 which is a regression in Debian
> stable triggered by the recent perl DSA (it will also be triggered by
> the point release update in #809561).
> 
> This should be fixed in jessie, and given the timescale, and the fact
> that it's not technically a regression in the DSA package, the consensus
> seems to be that a point release update is appropriate.

Here's the full debdiff for what I would like to upload. A fixed sid
package (4.48-3) in incoming.
-- 
Niko Tyni   ntyni@debian.org

diff -Nru libcgi-session-perl-4.48/debian/changelog libcgi-session-perl-4.48/debian/changelog
--- libcgi-session-perl-4.48/debian/changelog	2013-05-26 19:47:25.000000000 +0300
+++ libcgi-session-perl-4.48/debian/changelog	2016-01-15 17:38:24.000000000 +0200
@@ -1,3 +1,12 @@
+libcgi-session-perl (4.48-1+deb8u1) jessie; urgency=medium
+
+  * Team upload.
+  * Untaint raw data coming from session storage backends.
+    + fixes a taint regression caused by CVE-2015-8607 fixes in perl
+      (Closes: #810799)
+
+ -- Niko Tyni <ntyni@debian.org>  Fri, 15 Jan 2016 17:37:38 +0200
+
 libcgi-session-perl (4.48-1) unstable; urgency=low
 
   [ Nicholas Bamber ]
diff -Nru libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch
--- libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch	1970-01-01 02:00:00.000000000 +0200
+++ libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch	2016-01-15 17:35:38.000000000 +0200
@@ -0,0 +1,77 @@
+From ab199c765329638301105fd1884af14992bb1615 Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni@debian.org>
+Date: Tue, 12 Jan 2016 23:40:53 +0200
+Subject: [PATCH] Untaint raw data coming from session storage backends
+
+The various storage backends need to be considered trusted,
+so data coming out of them should be untainted.
+
+The _CLAIMED_ID comes from an HTTP cookie and is probably tainted,
+but presumably it's OK if it matched some data in the storage.
+
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346
+Bug-Debian: https://bugs.debian.org/810799
+---
+ lib/CGI/Session.pm |  4 ++++
+ t/taint_storage.t  | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+)
+ create mode 100644 t/taint_storage.t
+
+diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm
+index 2788b04..6460d4d 100644
+--- a/lib/CGI/Session.pm
++++ b/lib/CGI/Session.pm
+@@ -724,6 +724,10 @@ sub load {
+     # Requested session couldn't be retrieved
+     return $self unless $raw_data;
+ 
++    # untaint; we trust the session backend,
++    # and presumably _CLAIMED_ID too at this point
++    $raw_data =~ /^(.*)$/s and $raw_data = $1;
++
+     my $serializer = $self->_serializer();
+     $self->{_DATA} = $serializer->thaw($raw_data);
+     unless ( defined $self->{_DATA} ) {
+diff --git a/t/taint_storage.t b/t/taint_storage.t
+new file mode 100644
+index 0000000..95f5f1a
+--- /dev/null
++++ b/t/taint_storage.t
+@@ -0,0 +1,34 @@
++#!/usr/bin/perl -T
++
++# https://rt.cpan.org/Public/Bug/Display.html?id=80346
++
++use strict;
++use warnings;
++use CGI::Session;
++use Scalar::Util qw(tainted);
++use Test::More tests => 6;
++
++my $sid;
++
++my $session = CGI::Session->new( "driver:file;serializer:storable", undef, {Directory=>'t'});
++ok($session, "new() with file+storable");
++
++$session->param('a', 1 );
++
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after new");
++
++$session->flush;
++$session = CGI::Session->load( "driver:file;serializer:storable", $sid, {Directory=>'t'});
++
++ok($session, "load() with file+storable");
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after load");
++
++is($session->param('a'), 1, "parameter stored");
++
++$session->flush;
++
++ok(1, "survived flush");
++
++$session->delete;
+-- 
+2.6.4
+
diff -Nru libcgi-session-perl-4.48/debian/patches/series libcgi-session-perl-4.48/debian/patches/series
--- libcgi-session-perl-4.48/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ libcgi-session-perl-4.48/debian/patches/series	2016-01-15 17:35:38.000000000 +0200
@@ -0,0 +1 @@
+0001-Untaint-raw-data-coming-from-session-storage-backend.patch

Reply to:

Follow-Ups:
- Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1
  - From: Dominic Hargreaves <dom@earth.li>

Prev by Date: Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
Next by Date: Processed: Re: Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1
Previous by thread: Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1
Next by thread: Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1
Index(es):
- Date
- Thread