Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)

To: submit@bugs.debian.org
Subject: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
From: Kentaro Hayashi <kenhys@xdump.org>
Date: Wed, 14 Jul 2021 22:48:15 +0900
Message-id: <[🔎] 20210714224815.e5f28c8ad2356785fc67e99c@xdump.org>
Reply-to: Kentaro Hayashi <kenhys@xdump.org>, 991103@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: kenhys@xdump.org

Please unblock package collectd

[ Reason ]

Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294

If collection3 is set up(not enabled by default), the following error is sent
to logs repeatedly.

  FastCGI sent in stderr: "CGI::param called in list context from
/usr/share/doc/collectd-core/examples/collection3/lib/
Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the
warning in "Fetching the value or values of a  single named parameter" at
/usr/share/perl5/CGI.pm line 412"

This is not actually assigned as CVE-, but it is unexpected situation.

[ Impact ]

It doesn't break collectd behavior at all.

It only fixes the issue about generation of tons of warning messages
about inappropriate usage of param() via bundled web interface utility
(collection3).

[ Tests ]

Not ready for automated test because it need to run collection3 as a CGI.
So, I manually tested attached patch.

[ Risks ]

Low, because very limited reverse dependency and it is only affected when web
interface is enabled.

% LANG=C apt rdepends collectd
collectd
Reverse Depends:
  Replaces: collectd-utils (<< 4.6.1-1~)
  Recommends: kcollectd
  Suggests: drraw
  Suggests: libcollectdclient1
  Replaces: collectd-core (<< 4.8.2-1~)
  Recommends: collectd-utils

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

I've prepared debdiff patch.

unblock collectd/5.12.0-7

diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog
--- collectd-5.12.0/debian/changelog	2021-06-02 00:56:33.000000000 +0900
+++ collectd-5.12.0/debian/changelog	2021-07-14 21:46:02.000000000 +0900
@@ -1,3 +1,10 @@
+collectd (5.12.0-7) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CGI::param error in collection3 (Closes: 982294)
+
+ -- Kentaro Hayashi <kenhys@xdump.org>  Wed, 14 Jul 2021 21:46:02 +0900
+
 collectd (5.12.0-6) unstable; urgency=medium
 
   * [b4e7861] collectd-dev: Add missing header files again.
diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch
--- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch	1970-01-01 09:00:00.000000000 +0900
+++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch	2021-07-14 21:46:02.000000000 +0900
@@ -0,0 +1,58 @@
+From: Kentaro Hayashi <kenhys@xdump.org>
+Subject: Fix CGI::param error in collection3
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
+Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6
+
+When using collection3 as a CGI, the following error is sent to logs repeatedly.
+This MR fixes it:
+
+  FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412"
+
+This is caused by inappropriate usage of param(),
+it should be handled as a scalar or should be treated by multi_param() explicitly.
+
+Closes: #982294
+
+ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
+
+--- a/contrib/collection3/lib/Collectd/Graph/Common.pm
++++ b/contrib/collection3/lib/Collectd/Graph/Common.pm
+@@ -526,7 +526,7 @@
+   for (qw(hostname plugin plugin_instance type type_instance))
+   {
+     my $part = $_;
+-    my @temp = param ($part);
++    my @temp = multi_param ($part);
+     if (!@temp)
+     {
+       next;
+@@ -547,9 +547,9 @@
+ sub get_timespan_selection
+ {
+   my $ret = 86400;
+-  if (param ('timespan'))
++  if (scalar param ('timespan'))
+   {
+-    my $temp = int (param ('timespan'));
++    my $temp = int (scalar param ('timespan'));
+     if ($temp && ($temp > 0))
+     {
+       $ret = $temp;
+@@ -568,7 +568,7 @@
+     $ret{$_} = 0;
+   }
+ 
+-  for (param ('hostname'))
++  for (multi_param ('hostname'))
+   {
+     my $host = _sanitize_generic_allow_minus ($_);
+     if (defined ($ret{$host}))
+@@ -597,7 +597,7 @@
+     $ret{$_} = 0;
+   }
+ 
+-  for (param ('plugin'))
++  for (multi_param ('plugin'))
+   {
+     if (defined ($ret{$_}))
+     {
diff -Nru collectd-5.12.0/debian/patches/series collectd-5.12.0/debian/patches/series
--- collectd-5.12.0/debian/patches/series	2021-06-02 00:56:33.000000000 +0900
+++ collectd-5.12.0/debian/patches/series	2021-07-14 21:46:02.000000000 +0900
@@ -3,3 +3,4 @@
 myplugin_includes.patch
 nagios-debian-paths.patch
 fix-smart-test
+cgi-param-in-list-context.patch

Reply to:

Follow-Ups:
- Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
  - From: Sebastian Ramacher <sramacher@debian.org>
- Processed: Re: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#991103: marked as done (unblock: collectd/5.12.0-7 (pre-approval))
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#991101: marked as done (unblock: frr/7.5.1-1.1)
Next by Date: Bug#990920: unblock: mat2/0.12.1-2
Previous by thread: Bug#991101: marked as done (unblock: frr/7.5.1-1.1)
Next by thread: Bug#991103: unblock: collectd/5.12.0-7 (pre-approval)
Index(es):
- Date
- Thread