Bug#1112368: bookworm-pu: package libcgi-simple-perl/1.280-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libcgi-simple-perl@packages.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>, gregor herrmann <gregoa@debian.org>, Ansgar Burchardt <ansgar@debian.org>, Niko Tyni <ntyni@debian.org>, Dominic Hargreaves <dom@earth.li>, carnil@debian.org
Control: affects -1 + src:libcgi-simple-perl
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable release managers,
[ Reason ]
libcgi-simple-perl is affected by CVE-2025-40927, a HTTP response
flaw.
https://lists.security.metacpan.org/cve-announce/msg/32357435/
It is somehow related to CVE-2010-4410, CVE-2010-4411 and covers mor
ecompletely the cases, so the CVE-2010-4411 patch is now superseeded
by the new upstrem change.
[ Impact ]
Users of CGI::Simple will remain vulnerable to CVE-2025-40927.
[ Tests ]
The new upstream version contains an updated test to cover the
additional cases which fail before, and pass afterwards. The
additional tests are included as well along with the cerry-picked fix.
[ Risks ]
Targeted fix with test suite coverage (additional tests).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Fix for CVE-2025-40927 and drop the superseeded patch for
CVE-2010-4411.
Regards,
Salvatore
diff -Nru libcgi-simple-perl-1.280/debian/changelog libcgi-simple-perl-1.280/debian/changelog
--- libcgi-simple-perl-1.280/debian/changelog 2022-10-13 23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/changelog 2025-08-29 05:59:56.000000000 +0200
@@ -1,3 +1,12 @@
+libcgi-simple-perl (1.280-2+deb12u1) bookworm; urgency=medium
+
+ * Drop "Port latest header-injection refinement from CGI.pm" patch.
+ (superseeded by the patch for CVE-2025-40927)
+ * Sanitize all user-supplied values before inserting into HTTP headers
+ (CVE-2025-40927)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 29 Aug 2025 05:59:56 +0200
+
libcgi-simple-perl (1.280-2) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch
--- libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch 2025-08-29 05:59:56.000000000 +0200
@@ -0,0 +1,95 @@
+From: Mohammad Sajid Anwar <mohammad.anwar@yahoo.com>
+Date: Thu, 28 Aug 2025 20:12:23 +0100
+Subject: - Sanitize all user-supplied values before inserting into HTTP
+ headers. Thanks Maxim Kosenko for raising the issue with recommended
+ solution. Thanks breno for the patch. Thanks Stig Palmquist for assiginig
+ it CVE-2025-40927.
+Origin: https://github.com/manwar/CGI--Simple/commit/0c1a2e0b8f24804d33daac686666ac944363a630
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40927
+
+---
+ Changes | 6 ++++++
+ lib/CGI/Simple.pm | 12 +++++++-----
+ lib/CGI/Simple/Cookie.pm | 2 +-
+ lib/CGI/Simple/Standard.pm | 2 +-
+ lib/CGI/Simple/Util.pm | 2 +-
+ t/120.header-crlf.t | 28 ++++++++++++++++++++--------
+ 6 files changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/lib/CGI/Simple.pm b/lib/CGI/Simple.pm
+index ebf13706f987..5125533dfdb1 100644
+--- a/lib/CGI/Simple.pm
++++ b/lib/CGI/Simple.pm
+@@ -998,6 +998,7 @@ sub header {
+ );
+
+ my $CRLF = $self->crlf;
++ my $ALL_POSSIBLE_CRLF = qr/(?:\r\n|\n|\015\012)/;
+
+ # CR escaping for values, per RFC 822
+ for my $header (
+@@ -1007,11 +1008,12 @@ sub header {
+ if ( defined $header ) {
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+- # followed by a LWSP-char as equivalent to the LWSP-char.
+- $header =~ s/$CRLF(\s)/$1/g;
++ # followed by a LWSP-char as equivalent to the LWSP-char
++ # (defined in the RFC as a space or a horizontal tab).
++ $header =~ s/$ALL_POSSIBLE_CRLF([ \t])/$1/g;
+
+ # All other uses of newlines are invalid input.
+- if ( $header =~ m/$CRLF/ ) {
++ if ( $header =~ m/$ALL_POSSIBLE_CRLF/ ) {
+ # shorten very long values in the diagnostic
+ $header = substr( $header, 0, 72 ) . '...'
+ if ( length $header > 72 );
+
+diff --git a/t/120.header-crlf.t b/t/120.header-crlf.t
+index d6a4dca78c41..7834b77e8022 100644
+--- a/t/120.header-crlf.t
++++ b/t/120.header-crlf.t
+@@ -1,5 +1,5 @@
+ use strict;
+-use Test::More tests => 2;
++use Test::More tests => 9;
+ use Test::Exception;
+ use CGI::Simple;
+
+@@ -7,14 +7,26 @@ my $cgi = CGI::Simple->new;
+
+ my $CRLF = $cgi->crlf;
+
+-is( $cgi->header( '-Test' => "test$CRLF part" ),
+- "Test: test part"
++my %possible_crlf = (
++ '\n' => "\n",
++ '\r\n' => "\r\n",
++ '\015\012' => "\015\012",
++);
++for my $k (sort keys %possible_crlf) {
++ is(
++ $cgi->header( '-Test' => "test$possible_crlf{$k} part" ),
++ "Test: test part"
+ . $CRLF
+ . 'Content-Type: text/html; charset=ISO-8859-1'
+ . $CRLF
+- . $CRLF
+-);
++ . $CRLF,
++ "header value with $k + space drops the $k and is valid"
++ );
+
+-throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
+-qr/Invalid header value contains a newline not followed by whitespace: test="test/,
+- 'invalid CRLF caught';
++ throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}$possible_crlf{$k} part" ) }
++ qr/Invalid header value contains a newline not followed by whitespace: test="test/,
++ 'invalid CRLF caught for double ' . $k;
++ throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}part" ) }
++ qr/Invalid header value contains a newline not followed by whitespace: test="test/,
++ "invalid $k caught not followed by whitespace";
++}
+--
+2.51.0
+
diff -Nru libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch
--- libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch 2022-10-13 23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-Author: Mark Stosberg <mark@stosberg.com>
-Origin: http://github.com/markstos/CGI--Simple/commit/daff9ca164a7d88d68b6d4d729331e03e32d00dd
-Origin: http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da
-Subject: [CVE-2010-4411] Port latest header-injection refinement from CGI.pm
-
-See also http://www.openwall.com/lists/oss-security/2011/01/04/9
-
---- a/lib/CGI/Simple.pm
-+++ b/lib/CGI/Simple.pm
-@@ -1011,7 +1011,7 @@
- $header =~ s/$CRLF(\s)/$1/g;
-
- # All other uses of newlines are invalid input.
-- if ( $header =~ m/$CRLF/ ) {
-+ if ($header =~ m/$CRLF|\015|\012/) {
- # shorten very long values in the diagnostic
- $header = substr( $header, 0, 72 ) . '...'
- if ( length $header > 72 );
---- a/t/headers.t
-+++ b/t/headers.t
-@@ -76,3 +76,9 @@
- 'redirect with leading newlines blows up'
- );
-
-+{
-+ my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>');
-+ my $out;
-+ eval { $out = $cgi->redirect( $cgi->param('t') ) };
-+ like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
-+}
diff -Nru libcgi-simple-perl-1.280/debian/patches/series libcgi-simple-perl-1.280/debian/patches/series
--- libcgi-simple-perl-1.280/debian/patches/series 2022-10-13 23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/patches/series 2025-08-29 05:59:56.000000000 +0200
@@ -1,2 +1,2 @@
-cve-2010-4411.patch
no-shellwords-pl.patch
+Sanitize-all-user-supplied-values-before-inserting-i.patch
Reply to: