Bug#810887: jessie-pu: package libcgi-session-perl/4.48-1+deb8u1
On Wed, Jan 13, 2016 at 11:16:55AM +0000, Dominic Hargreaves wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: debian-perl@lists.debian.org, team@security.debian.org
>
> We're working on a fix for #810799 which is a regression in Debian
> stable triggered by the recent perl DSA (it will also be triggered by
> the point release update in #809561).
>
> This should be fixed in jessie, and given the timescale, and the fact
> that it's not technically a regression in the DSA package, the consensus
> seems to be that a point release update is appropriate.
Here's the full debdiff for what I would like to upload. A fixed sid
package (4.48-3) in incoming.
--
Niko Tyni ntyni@debian.org
diff -Nru libcgi-session-perl-4.48/debian/changelog libcgi-session-perl-4.48/debian/changelog
--- libcgi-session-perl-4.48/debian/changelog 2013-05-26 19:47:25.000000000 +0300
+++ libcgi-session-perl-4.48/debian/changelog 2016-01-15 17:38:24.000000000 +0200
@@ -1,3 +1,12 @@
+libcgi-session-perl (4.48-1+deb8u1) jessie; urgency=medium
+
+ * Team upload.
+ * Untaint raw data coming from session storage backends.
+ + fixes a taint regression caused by CVE-2015-8607 fixes in perl
+ (Closes: #810799)
+
+ -- Niko Tyni <ntyni@debian.org> Fri, 15 Jan 2016 17:37:38 +0200
+
libcgi-session-perl (4.48-1) unstable; urgency=low
[ Nicholas Bamber ]
diff -Nru libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch
--- libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch 1970-01-01 02:00:00.000000000 +0200
+++ libcgi-session-perl-4.48/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch 2016-01-15 17:35:38.000000000 +0200
@@ -0,0 +1,77 @@
+From ab199c765329638301105fd1884af14992bb1615 Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni@debian.org>
+Date: Tue, 12 Jan 2016 23:40:53 +0200
+Subject: [PATCH] Untaint raw data coming from session storage backends
+
+The various storage backends need to be considered trusted,
+so data coming out of them should be untainted.
+
+The _CLAIMED_ID comes from an HTTP cookie and is probably tainted,
+but presumably it's OK if it matched some data in the storage.
+
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346
+Bug-Debian: https://bugs.debian.org/810799
+---
+ lib/CGI/Session.pm | 4 ++++
+ t/taint_storage.t | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+)
+ create mode 100644 t/taint_storage.t
+
+diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm
+index 2788b04..6460d4d 100644
+--- a/lib/CGI/Session.pm
++++ b/lib/CGI/Session.pm
+@@ -724,6 +724,10 @@ sub load {
+ # Requested session couldn't be retrieved
+ return $self unless $raw_data;
+
++ # untaint; we trust the session backend,
++ # and presumably _CLAIMED_ID too at this point
++ $raw_data =~ /^(.*)$/s and $raw_data = $1;
++
+ my $serializer = $self->_serializer();
+ $self->{_DATA} = $serializer->thaw($raw_data);
+ unless ( defined $self->{_DATA} ) {
+diff --git a/t/taint_storage.t b/t/taint_storage.t
+new file mode 100644
+index 0000000..95f5f1a
+--- /dev/null
++++ b/t/taint_storage.t
+@@ -0,0 +1,34 @@
++#!/usr/bin/perl -T
++
++# https://rt.cpan.org/Public/Bug/Display.html?id=80346
++
++use strict;
++use warnings;
++use CGI::Session;
++use Scalar::Util qw(tainted);
++use Test::More tests => 6;
++
++my $sid;
++
++my $session = CGI::Session->new( "driver:file;serializer:storable", undef, {Directory=>'t'});
++ok($session, "new() with file+storable");
++
++$session->param('a', 1 );
++
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after new");
++
++$session->flush;
++$session = CGI::Session->load( "driver:file;serializer:storable", $sid, {Directory=>'t'});
++
++ok($session, "load() with file+storable");
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after load");
++
++is($session->param('a'), 1, "parameter stored");
++
++$session->flush;
++
++ok(1, "survived flush");
++
++$session->delete;
+--
+2.6.4
+
diff -Nru libcgi-session-perl-4.48/debian/patches/series libcgi-session-perl-4.48/debian/patches/series
--- libcgi-session-perl-4.48/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ libcgi-session-perl-4.48/debian/patches/series 2016-01-15 17:35:38.000000000 +0200
@@ -0,0 +1 @@
+0001-Untaint-raw-data-coming-from-session-storage-backend.patch
Reply to: