--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: kenhys@xdump.org
Please unblock package collectd
[ Reason ]
Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
If collection3 is set up(not enabled by default), the following error is sent
to logs repeatedly.
FastCGI sent in stderr: "CGI::param called in list context from
/usr/share/doc/collectd-core/examples/collection3/lib/
Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the
warning in "Fetching the value or values of a single named parameter" at
/usr/share/perl5/CGI.pm line 412"
This is not actually assigned as CVE-, but it is unexpected situation.
[ Impact ]
It doesn't break collectd behavior at all.
It only fixes the issue about generation of tons of warning messages
about inappropriate usage of param() via bundled web interface utility
(collection3).
[ Tests ]
Not ready for automated test because it need to run collection3 as a CGI.
So, I manually tested attached patch.
[ Risks ]
Low, because very limited reverse dependency and it is only affected when web
interface is enabled.
% LANG=C apt rdepends collectd
collectd
Reverse Depends:
Replaces: collectd-utils (<< 4.6.1-1~)
Recommends: kcollectd
Suggests: drraw
Suggests: libcollectdclient1
Replaces: collectd-core (<< 4.8.2-1~)
Recommends: collectd-utils
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I've prepared debdiff patch.
unblock collectd/5.12.0-7
diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog
--- collectd-5.12.0/debian/changelog 2021-06-02 00:56:33.000000000 +0900
+++ collectd-5.12.0/debian/changelog 2021-07-14 21:46:02.000000000 +0900
@@ -1,3 +1,10 @@
+collectd (5.12.0-7) unstable; urgency=medium
+
+ * Team upload.
+ * Fix CGI::param error in collection3 (Closes: 982294)
+
+ -- Kentaro Hayashi <kenhys@xdump.org> Wed, 14 Jul 2021 21:46:02 +0900
+
collectd (5.12.0-6) unstable; urgency=medium
* [b4e7861] collectd-dev: Add missing header files again.
diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch
--- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 1970-01-01 09:00:00.000000000 +0900
+++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 2021-07-14 21:46:02.000000000 +0900
@@ -0,0 +1,58 @@
+From: Kentaro Hayashi <kenhys@xdump.org>
+Subject: Fix CGI::param error in collection3
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
+Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6
+
+When using collection3 as a CGI, the following error is sent to logs repeatedly.
+This MR fixes it:
+
+ FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412"
+
+This is caused by inappropriate usage of param(),
+it should be handled as a scalar or should be treated by multi_param() explicitly.
+
+Closes: #982294
+
+ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
+
+--- a/contrib/collection3/lib/Collectd/Graph/Common.pm
++++ b/contrib/collection3/lib/Collectd/Graph/Common.pm
+@@ -526,7 +526,7 @@
+ for (qw(hostname plugin plugin_instance type type_instance))
+ {
+ my $part = $_;
+- my @temp = param ($part);
++ my @temp = multi_param ($part);
+ if (!@temp)
+ {
+ next;
+@@ -547,9 +547,9 @@
+ sub get_timespan_selection
+ {
+ my $ret = 86400;
+- if (param ('timespan'))
++ if (scalar param ('timespan'))
+ {
+- my $temp = int (param ('timespan'));
++ my $temp = int (scalar param ('timespan'));
+ if ($temp && ($temp > 0))
+ {
+ $ret = $temp;
+@@ -568,7 +568,7 @@
+ $ret{$_} = 0;
+ }
+
+- for (param ('hostname'))
++ for (multi_param ('hostname'))
+ {
+ my $host = _sanitize_generic_allow_minus ($_);
+ if (defined ($ret{$host}))
+@@ -597,7 +597,7 @@
+ $ret{$_} = 0;
+ }
+
+- for (param ('plugin'))
++ for (multi_param ('plugin'))
+ {
+ if (defined ($ret{$_}))
+ {
diff -Nru collectd-5.12.0/debian/patches/series collectd-5.12.0/debian/patches/series
--- collectd-5.12.0/debian/patches/series 2021-06-02 00:56:33.000000000 +0900
+++ collectd-5.12.0/debian/patches/series 2021-07-14 21:46:02.000000000 +0900
@@ -3,3 +3,4 @@
myplugin_includes.patch
nagios-debian-paths.patch
fix-smart-test
+cgi-param-in-list-context.patch
--- End Message ---