Bug#1112367: trixie-pu: package libcgi-simple-perl/1.282-1~deb13u1

[Salvatore Bonaccorso <carnil@debian.org>]

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libcgi-simple-perl@packages.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>, gregor herrmann <gregoa@debian.org>, Ansgar Burchardt <ansgar@debian.org>, Niko Tyni <ntyni@debian.org>, Dominic Hargreaves <dom@earth.li>, carnil@debian.org
Control: affects -1 + src:libcgi-simple-perl
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable release managers,

[ Reason ]
libcgi-simple-perl is affected by CVE-2025-40927, a HTTP response
flaw.

https://lists.security.metacpan.org/cve-announce/msg/32357435/

It is somehow related to CVE-2010-4410, CVE-2010-4411 and covers mor
ecompletely the cases, so the CVE-2010-4411 patch is now superseeded
by the new upstrem change.

[ Impact ]
Users of CGI::Simple will remain vulnerable to CVE-2025-40927.

[ Tests ]
The new upstream version contains an updated test to cover the
additional cases which fail before, and pass afterwards.
(What automated or manual tests cover the affected code?)

[ Risks ]
Targeted fix with test suite coverage (additional tests).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- Fix for CVE-2025-40927 and drop the superseeded patch for
  CVE-2010-4411.

[ Other info ]
I decided to make the upload for trixie a rebuild of the unstable one,
so did not do any additional packaging changes in unstable. The new
upstream version contains only the fix for CVE-2025-40927 on top.

Regards,
Salvatore

diff -Nru libcgi-simple-perl-1.281/Changes libcgi-simple-perl-1.282/Changes
--- libcgi-simple-perl-1.281/Changes	2024-01-31 15:16:26.000000000 +0100
+++ libcgi-simple-perl-1.282/Changes	2025-08-28 21:10:33.000000000 +0200
@@ -1,5 +1,11 @@
 Revision history for Perl extension CGI::Simple.
 
+1.282 2025-08-28 MANWAR
+      - Sanitize all user-supplied values before inserting into HTTP headers.
+        Thanks Maxim Kosenko for raising the issue with recommended solution.
+        Thanks breno for the patch.
+        Thanks Stig Palmquist for assiginig it CVE-2025-40927.
+
 1.281 2024-01-31 MANWAR
       - RT-151161 Add CGI::Cookie partitioned support, PR #14, thanks @ldevantier-doseme.
 
diff -Nru libcgi-simple-perl-1.281/MANIFEST libcgi-simple-perl-1.282/MANIFEST
--- libcgi-simple-perl-1.281/MANIFEST	2024-01-31 15:17:15.000000000 +0100
+++ libcgi-simple-perl-1.282/MANIFEST	2025-08-28 21:11:51.000000000 +0200
@@ -5,7 +5,7 @@
 lib/CGI/Simple/Standard.pm
 lib/CGI/Simple/Util.pm
 Makefile.PL
-MANIFEST    		This list of files
+MANIFEST			This list of files
 README
 t/000.load.t
 t/020.cookie.t
diff -Nru libcgi-simple-perl-1.281/META.json libcgi-simple-perl-1.282/META.json
--- libcgi-simple-perl-1.281/META.json	2024-01-31 15:17:15.000000000 +0100
+++ libcgi-simple-perl-1.282/META.json	2025-08-28 21:11:51.000000000 +0200
@@ -4,7 +4,7 @@
       "Andy Armstrong <andy@hexten.net>"
    ],
    "dynamic_config" : 1,
-   "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
+   "generated_by" : "ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version 2.150010",
    "license" : [
       "perl_5"
    ],
@@ -48,6 +48,6 @@
          "x_license" : "http://dev.perl.org/licenses/";
       }
    },
-   "version" : "1.281",
-   "x_serialization_backend" : "JSON::PP version 4.02"
+   "version" : "1.282",
+   "x_serialization_backend" : "JSON::PP version 4.16"
 }
diff -Nru libcgi-simple-perl-1.281/META.yml libcgi-simple-perl-1.282/META.yml
--- libcgi-simple-perl-1.281/META.yml	2024-01-31 15:17:13.000000000 +0100
+++ libcgi-simple-perl-1.282/META.yml	2025-08-28 21:11:51.000000000 +0200
@@ -11,7 +11,7 @@
 configure_requires:
   ExtUtils::MakeMaker: '0'
 dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
+generated_by: 'ExtUtils::MakeMaker version 7.70, CPAN::Meta::Converter version 2.150010'
 license: perl
 meta-spec:
   url: http://module-build.sourceforge.net/META-spec-v1.4.html
@@ -23,5 +23,5 @@
     - inc
 resources:
   repository: http://github.com/manwar/CGI--Simple.git
-version: '1.281'
+version: '1.282'
 x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff -Nru libcgi-simple-perl-1.281/debian/changelog libcgi-simple-perl-1.282/debian/changelog
--- libcgi-simple-perl-1.281/debian/changelog	2024-02-04 03:13:47.000000000 +0100
+++ libcgi-simple-perl-1.282/debian/changelog	2025-08-29 05:42:29.000000000 +0200
@@ -1,3 +1,19 @@
+libcgi-simple-perl (1.282-1~deb13u1) trixie; urgency=medium
+
+  * Rebuild for trixie
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 29 Aug 2025 05:42:29 +0200
+
+libcgi-simple-perl (1.282-1) unstable; urgency=medium
+
+  * Team upload.
+  * Import upstream version 1.282.
+    - Sanitize all user-supplied values before inserting into HTTP headers
+      (CVE-2025-40927)
+  * Drop "Port latest header-injection refinement from CGI.pm"
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 29 Aug 2025 05:26:27 +0200
+
 libcgi-simple-perl (1.281-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru libcgi-simple-perl-1.281/debian/patches/cve-2010-4411.patch libcgi-simple-perl-1.282/debian/patches/cve-2010-4411.patch
--- libcgi-simple-perl-1.281/debian/patches/cve-2010-4411.patch	2024-02-04 03:13:47.000000000 +0100
+++ libcgi-simple-perl-1.282/debian/patches/cve-2010-4411.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-Author: Mark Stosberg <mark@stosberg.com>
-Origin: http://github.com/markstos/CGI--Simple/commit/daff9ca164a7d88d68b6d4d729331e03e32d00dd
-Origin: http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da
-Subject: [CVE-2010-4411] Port latest header-injection refinement from CGI.pm
-
-See also http://www.openwall.com/lists/oss-security/2011/01/04/9
-
---- a/lib/CGI/Simple.pm
-+++ b/lib/CGI/Simple.pm
-@@ -1011,7 +1011,7 @@
-       $header =~ s/$CRLF(\s)/$1/g;
- 
-       # All other uses of newlines are invalid input.
--      if ( $header =~ m/$CRLF/ ) {
-+      if ($header =~ m/$CRLF|\015|\012/) {
-         # shorten very long values in the diagnostic
-         $header = substr( $header, 0, 72 ) . '...'
-          if ( length $header > 72 );
---- a/t/headers.t
-+++ b/t/headers.t
-@@ -76,3 +76,9 @@
-   'redirect with leading newlines blows up'
- );
- 
-+{
-+    my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>');
-+    my $out;
-+    eval { $out = $cgi->redirect( $cgi->param('t') ) };
-+    like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
-+}
diff -Nru libcgi-simple-perl-1.281/debian/patches/series libcgi-simple-perl-1.282/debian/patches/series
--- libcgi-simple-perl-1.281/debian/patches/series	2024-02-04 03:13:47.000000000 +0100
+++ libcgi-simple-perl-1.282/debian/patches/series	2025-08-29 05:42:29.000000000 +0200
@@ -1,2 +1 @@
-cve-2010-4411.patch
 no-shellwords-pl.patch
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple/Cookie.pm libcgi-simple-perl-1.282/lib/CGI/Simple/Cookie.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple/Cookie.pm	2024-01-31 15:12:53.000000000 +0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple/Cookie.pm	2025-08-28 21:03:30.000000000 +0200
@@ -13,7 +13,7 @@
 use strict;
 use warnings;
 use vars '$VERSION';
-$VERSION = '1.281';
+$VERSION = '1.282';
 use CGI::Simple::Util qw(rearrange unescape escape);
 use overload '""' => \&as_string, 'cmp' => \&compare, 'fallback' => 1;
 
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple/Standard.pm libcgi-simple-perl-1.282/lib/CGI/Simple/Standard.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple/Standard.pm	2024-01-31 15:12:53.000000000 +0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple/Standard.pm	2025-08-28 21:03:30.000000000 +0200
@@ -8,7 +8,7 @@
  $NO_UNDEF_PARAMS $USE_PARAM_SEMICOLONS $HEADERS_ONCE
  $NPH $DEBUG $NO_NULL $FATAL *in %EXPORT_TAGS $AUTOLOAD );
 
-$VERSION = "1.281";
+$VERSION = "1.282";
 
 %EXPORT_TAGS = (
   ':html'     => [qw(:misc)],
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple/Util.pm libcgi-simple-perl-1.282/lib/CGI/Simple/Util.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple/Util.pm	2024-01-31 15:12:53.000000000 +0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple/Util.pm	2025-08-28 21:03:30.000000000 +0200
@@ -2,7 +2,7 @@
 use strict;
 use warnings;
 use vars qw( $VERSION @EXPORT_OK @ISA $UTIL );
-$VERSION = '1.281';
+$VERSION = '1.282';
 require Exporter;
 @ISA       = qw( Exporter );
 @EXPORT_OK = qw(
diff -Nru libcgi-simple-perl-1.281/lib/CGI/Simple.pm libcgi-simple-perl-1.282/lib/CGI/Simple.pm
--- libcgi-simple-perl-1.281/lib/CGI/Simple.pm	2024-01-31 15:12:53.000000000 +0100
+++ libcgi-simple-perl-1.282/lib/CGI/Simple.pm	2025-08-28 21:03:30.000000000 +0200
@@ -13,7 +13,7 @@
      $NO_UNDEF_PARAMS, $USE_PARAM_SEMICOLONS, $PARAM_UTF8, $HEADERS_ONCE,
      $NPH, $DEBUG, $NO_NULL, $FATAL);
 
-$VERSION = "1.281";
+$VERSION = "1.282";
 
 # you can hard code the global variable settings here if you want.
 # warning - do not delete the unless defined $VAR part unless you
@@ -998,6 +998,7 @@
    );
 
   my $CRLF = $self->crlf;
+  my $ALL_POSSIBLE_CRLF = qr/(?:\r\n|\n|\015\012)/;
 
   # CR escaping for values, per RFC 822
   for my $header (
@@ -1007,11 +1008,12 @@
     if ( defined $header ) {
       # From RFC 822:
       # Unfolding  is  accomplished  by regarding   CRLF   immediately
-      # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
-      $header =~ s/$CRLF(\s)/$1/g;
+      # followed  by  a  LWSP-char  as equivalent to the LWSP-char
+      # (defined in the RFC as a space or a horizontal tab).
+      $header =~ s/$ALL_POSSIBLE_CRLF([ \t])/$1/g;
 
       # All other uses of newlines are invalid input.
-      if ( $header =~ m/$CRLF/ ) {
+      if ( $header =~ m/$ALL_POSSIBLE_CRLF/ ) {
         # shorten very long values in the diagnostic
         $header = substr( $header, 0, 72 ) . '...'
          if ( length $header > 72 );
@@ -1491,7 +1493,7 @@
 
 =head1 VERSION
 
-This document describes CGI::Simple version 1.281.
+This document describes CGI::Simple version 1.282.
 
 =head1 SYNOPSIS
 
diff -Nru libcgi-simple-perl-1.281/t/120.header-crlf.t libcgi-simple-perl-1.282/t/120.header-crlf.t
--- libcgi-simple-perl-1.281/t/120.header-crlf.t	2022-01-02 18:51:35.000000000 +0100
+++ libcgi-simple-perl-1.282/t/120.header-crlf.t	2025-08-28 21:02:40.000000000 +0200
@@ -1,5 +1,5 @@
 use strict;
-use Test::More tests => 2;
+use Test::More tests => 9;
 use Test::Exception;
 use CGI::Simple;
 
@@ -7,14 +7,26 @@
 
 my $CRLF = $cgi->crlf;
 
-is( $cgi->header( '-Test' => "test$CRLF part" ),
-    "Test: test part"
+my %possible_crlf = (
+    '\n'       => "\n",
+    '\r\n'     => "\r\n",
+    '\015\012' => "\015\012",
+);
+for my $k (sort keys %possible_crlf) {
+    is(
+        $cgi->header( '-Test' => "test$possible_crlf{$k} part" ),
+        "Test: test part"
         . $CRLF
         . 'Content-Type: text/html; charset=ISO-8859-1'
         . $CRLF
-        . $CRLF
-);
+        . $CRLF,
+        "header value with $k + space drops the $k and is valid"
+    );
 
-throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
-qr/Invalid header value contains a newline not followed by whitespace: test="test/,
-    'invalid CRLF caught';
+    throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}$possible_crlf{$k} part" ) }
+    qr/Invalid header value contains a newline not followed by whitespace: test="test/,
+        'invalid CRLF caught for double ' . $k;
+        throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}part" ) }
+        qr/Invalid header value contains a newline not followed by whitespace: test="test/,
+        "invalid $k caught not followed by whitespace";
+}