Control: tags -1 moreinfo confirmed
On 2021-07-14 22:48:15 +0900, Kentaro Hayashi wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: kenhys@xdump.org
>
> Please unblock package collectd
>
> [ Reason ]
>
> Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
>
> If collection3 is set up(not enabled by default), the following error is sent
> to logs repeatedly.
>
> FastCGI sent in stderr: "CGI::param called in list context from
> /usr/share/doc/collectd-core/examples/collection3/lib/
> Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the
> warning in "Fetching the value or values of a single named parameter" at
> /usr/share/perl5/CGI.pm line 412"
>
> This is not actually assigned as CVE-, but it is unexpected situation.
>
> [ Impact ]
>
> It doesn't break collectd behavior at all.
>
> It only fixes the issue about generation of tons of warning messages
> about inappropriate usage of param() via bundled web interface utility
> (collection3).
>
> [ Tests ]
>
> Not ready for automated test because it need to run collection3 as a CGI.
> So, I manually tested attached patch.
>
> [ Risks ]
>
> Low, because very limited reverse dependency and it is only affected when web
> interface is enabled.
>
> % LANG=C apt rdepends collectd
> collectd
> Reverse Depends:
> Replaces: collectd-utils (<< 4.6.1-1~)
> Recommends: kcollectd
> Suggests: drraw
> Suggests: libcollectdclient1
> Replaces: collectd-core (<< 4.8.2-1~)
> Recommends: collectd-utils
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
>
> I've prepared debdiff patch.
>
> unblock collectd/5.12.0-7
ACK, please go ahead and remove the moreinfo tag once the new version is
available in unstable.
Cheers
> diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog
> --- collectd-5.12.0/debian/changelog 2021-06-02 00:56:33.000000000 +0900
> +++ collectd-5.12.0/debian/changelog 2021-07-14 21:46:02.000000000 +0900
> @@ -1,3 +1,10 @@
> +collectd (5.12.0-7) unstable; urgency=medium
> +
> + * Team upload.
> + * Fix CGI::param error in collection3 (Closes: 982294)
> +
> + -- Kentaro Hayashi <kenhys@xdump.org> Wed, 14 Jul 2021 21:46:02 +0900
> +
> collectd (5.12.0-6) unstable; urgency=medium
>
> * [b4e7861] collectd-dev: Add missing header files again.
> diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch
> --- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 1970-01-01 09:00:00.000000000 +0900
> +++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 2021-07-14 21:46:02.000000000 +0900
> @@ -0,0 +1,58 @@
> +From: Kentaro Hayashi <kenhys@xdump.org>
> +Subject: Fix CGI::param error in collection3
> +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
> +Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6
> +
> +When using collection3 as a CGI, the following error is sent to logs repeatedly.
> +This MR fixes it:
> +
> + FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412"
> +
> +This is caused by inappropriate usage of param(),
> +it should be handled as a scalar or should be treated by multi_param() explicitly.
> +
> +Closes: #982294
> +
> +ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
> +
> +--- a/contrib/collection3/lib/Collectd/Graph/Common.pm
> ++++ b/contrib/collection3/lib/Collectd/Graph/Common.pm
> +@@ -526,7 +526,7 @@
> + for (qw(hostname plugin plugin_instance type type_instance))
> + {
> + my $part = $_;
> +- my @temp = param ($part);
> ++ my @temp = multi_param ($part);
> + if (!@temp)
> + {
> + next;
> +@@ -547,9 +547,9 @@
> + sub get_timespan_selection
> + {
> + my $ret = 86400;
> +- if (param ('timespan'))
> ++ if (scalar param ('timespan'))
> + {
> +- my $temp = int (param ('timespan'));
> ++ my $temp = int (scalar param ('timespan'));
> + if ($temp && ($temp > 0))
> + {
> + $ret = $temp;
> +@@ -568,7 +568,7 @@
> + $ret{$_} = 0;
> + }
> +
> +- for (param ('hostname'))
> ++ for (multi_param ('hostname'))
> + {
> + my $host = _sanitize_generic_allow_minus ($_);
> + if (defined ($ret{$host}))
> +@@ -597,7 +597,7 @@
> + $ret{$_} = 0;
> + }
> +
> +- for (param ('plugin'))
> ++ for (multi_param ('plugin'))
> + {
> + if (defined ($ret{$_}))
> + {
> diff -Nru collectd-5.12.0/debian/patches/series collectd-5.12.0/debian/patches/series
> --- collectd-5.12.0/debian/patches/series 2021-06-02 00:56:33.000000000 +0900
> +++ collectd-5.12.0/debian/patches/series 2021-07-14 21:46:02.000000000 +0900
> @@ -3,3 +3,4 @@
> myplugin_includes.patch
> nagios-debian-paths.patch
> fix-smart-test
> +cgi-param-in-list-context.patch
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature