Control: tags -1 moreinfo confirmed On 2021-07-14 22:48:15 +0900, Kentaro Hayashi wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: kenhys@xdump.org > > Please unblock package collectd > > [ Reason ] > > Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 > > If collection3 is set up(not enabled by default), the following error is sent > to logs repeatedly. > > FastCGI sent in stderr: "CGI::param called in list context from > /usr/share/doc/collectd-core/examples/collection3/lib/ > Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the > warning in "Fetching the value or values of a single named parameter" at > /usr/share/perl5/CGI.pm line 412" > > This is not actually assigned as CVE-, but it is unexpected situation. > > [ Impact ] > > It doesn't break collectd behavior at all. > > It only fixes the issue about generation of tons of warning messages > about inappropriate usage of param() via bundled web interface utility > (collection3). > > [ Tests ] > > Not ready for automated test because it need to run collection3 as a CGI. > So, I manually tested attached patch. > > [ Risks ] > > Low, because very limited reverse dependency and it is only affected when web > interface is enabled. > > % LANG=C apt rdepends collectd > collectd > Reverse Depends: > Replaces: collectd-utils (<< 4.6.1-1~) > Recommends: kcollectd > Suggests: drraw > Suggests: libcollectdclient1 > Replaces: collectd-core (<< 4.8.2-1~) > Recommends: collectd-utils > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > > I've prepared debdiff patch. > > unblock collectd/5.12.0-7 ACK, please go ahead and remove the moreinfo tag once the new version is available in unstable. Cheers > diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog > --- collectd-5.12.0/debian/changelog 2021-06-02 00:56:33.000000000 +0900 > +++ collectd-5.12.0/debian/changelog 2021-07-14 21:46:02.000000000 +0900 > @@ -1,3 +1,10 @@ > +collectd (5.12.0-7) unstable; urgency=medium > + > + * Team upload. > + * Fix CGI::param error in collection3 (Closes: 982294) > + > + -- Kentaro Hayashi <kenhys@xdump.org> Wed, 14 Jul 2021 21:46:02 +0900 > + > collectd (5.12.0-6) unstable; urgency=medium > > * [b4e7861] collectd-dev: Add missing header files again. > diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch > --- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 1970-01-01 09:00:00.000000000 +0900 > +++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 2021-07-14 21:46:02.000000000 +0900 > @@ -0,0 +1,58 @@ > +From: Kentaro Hayashi <kenhys@xdump.org> > +Subject: Fix CGI::param error in collection3 > +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 > +Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6 > + > +When using collection3 as a CGI, the following error is sent to logs repeatedly. > +This MR fixes it: > + > + FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412" > + > +This is caused by inappropriate usage of param(), > +it should be handled as a scalar or should be treated by multi_param() explicitly. > + > +Closes: #982294 > + > +ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 > + > +--- a/contrib/collection3/lib/Collectd/Graph/Common.pm > ++++ b/contrib/collection3/lib/Collectd/Graph/Common.pm > +@@ -526,7 +526,7 @@ > + for (qw(hostname plugin plugin_instance type type_instance)) > + { > + my $part = $_; > +- my @temp = param ($part); > ++ my @temp = multi_param ($part); > + if (!@temp) > + { > + next; > +@@ -547,9 +547,9 @@ > + sub get_timespan_selection > + { > + my $ret = 86400; > +- if (param ('timespan')) > ++ if (scalar param ('timespan')) > + { > +- my $temp = int (param ('timespan')); > ++ my $temp = int (scalar param ('timespan')); > + if ($temp && ($temp > 0)) > + { > + $ret = $temp; > +@@ -568,7 +568,7 @@ > + $ret{$_} = 0; > + } > + > +- for (param ('hostname')) > ++ for (multi_param ('hostname')) > + { > + my $host = _sanitize_generic_allow_minus ($_); > + if (defined ($ret{$host})) > +@@ -597,7 +597,7 @@ > + $ret{$_} = 0; > + } > + > +- for (param ('plugin')) > ++ for (multi_param ('plugin')) > + { > + if (defined ($ret{$_})) > + { > diff -Nru collectd-5.12.0/debian/patches/series collectd-5.12.0/debian/patches/series > --- collectd-5.12.0/debian/patches/series 2021-06-02 00:56:33.000000000 +0900 > +++ collectd-5.12.0/debian/patches/series 2021-07-14 21:46:02.000000000 +0900 > @@ -3,3 +3,4 @@ > myplugin_includes.patch > nagios-debian-paths.patch > fix-smart-test > +cgi-param-in-list-context.patch -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature