[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1112368: marked as done (bookworm-pu: package libcgi-simple-perl/1.280-2+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112368,
regarding bookworm-pu: package libcgi-simple-perl/1.280-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112368: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112368
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libcgi-simple-perl@packages.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>, gregor herrmann <gregoa@debian.org>, Ansgar Burchardt <ansgar@debian.org>, Niko Tyni <ntyni@debian.org>, Dominic Hargreaves <dom@earth.li>, carnil@debian.org
Control: affects -1 + src:libcgi-simple-perl
User: release.debian.org@packages.debian.org
Usertags: pu


Hi Stable release managers,

[ Reason ]
libcgi-simple-perl is affected by CVE-2025-40927, a HTTP response
flaw.

https://lists.security.metacpan.org/cve-announce/msg/32357435/

It is somehow related to CVE-2010-4410, CVE-2010-4411 and covers mor
ecompletely the cases, so the CVE-2010-4411 patch is now superseeded
by the new upstrem change.

[ Impact ]
Users of CGI::Simple will remain vulnerable to CVE-2025-40927.

[ Tests ]
The new upstream version contains an updated test to cover the
additional cases which fail before, and pass afterwards. The 
additional tests are included as well along with the cerry-picked fix.

[ Risks ]
Targeted fix with test suite coverage (additional tests).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- Fix for CVE-2025-40927 and drop the superseeded patch for
  CVE-2010-4411.

Regards,
Salvatore

diff -Nru libcgi-simple-perl-1.280/debian/changelog libcgi-simple-perl-1.280/debian/changelog
--- libcgi-simple-perl-1.280/debian/changelog	2022-10-13 23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/changelog	2025-08-29 05:59:56.000000000 +0200
@@ -1,3 +1,12 @@
+libcgi-simple-perl (1.280-2+deb12u1) bookworm; urgency=medium
+
+  * Drop "Port latest header-injection refinement from CGI.pm" patch.
+    (superseeded by the patch for CVE-2025-40927)
+  * Sanitize all user-supplied values before inserting into HTTP headers
+    (CVE-2025-40927)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 29 Aug 2025 05:59:56 +0200
+
 libcgi-simple-perl (1.280-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch
--- libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcgi-simple-perl-1.280/debian/patches/Sanitize-all-user-supplied-values-before-inserting-i.patch	2025-08-29 05:59:56.000000000 +0200
@@ -0,0 +1,95 @@
+From: Mohammad Sajid Anwar <mohammad.anwar@yahoo.com>
+Date: Thu, 28 Aug 2025 20:12:23 +0100
+Subject: - Sanitize all user-supplied values before inserting into HTTP
+ headers.   Thanks Maxim Kosenko for raising the issue with recommended
+ solution.   Thanks breno for the patch.   Thanks Stig Palmquist for assiginig
+ it CVE-2025-40927.
+Origin: https://github.com/manwar/CGI--Simple/commit/0c1a2e0b8f24804d33daac686666ac944363a630
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40927
+
+---
+ Changes                    |  6 ++++++
+ lib/CGI/Simple.pm          | 12 +++++++-----
+ lib/CGI/Simple/Cookie.pm   |  2 +-
+ lib/CGI/Simple/Standard.pm |  2 +-
+ lib/CGI/Simple/Util.pm     |  2 +-
+ t/120.header-crlf.t        | 28 ++++++++++++++++++++--------
+ 6 files changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/lib/CGI/Simple.pm b/lib/CGI/Simple.pm
+index ebf13706f987..5125533dfdb1 100644
+--- a/lib/CGI/Simple.pm
++++ b/lib/CGI/Simple.pm
+@@ -998,6 +998,7 @@ sub header {
+    );
+ 
+   my $CRLF = $self->crlf;
++  my $ALL_POSSIBLE_CRLF = qr/(?:\r\n|\n|\015\012)/;
+ 
+   # CR escaping for values, per RFC 822
+   for my $header (
+@@ -1007,11 +1008,12 @@ sub header {
+     if ( defined $header ) {
+       # From RFC 822:
+       # Unfolding  is  accomplished  by regarding   CRLF   immediately
+-      # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+-      $header =~ s/$CRLF(\s)/$1/g;
++      # followed  by  a  LWSP-char  as equivalent to the LWSP-char
++      # (defined in the RFC as a space or a horizontal tab).
++      $header =~ s/$ALL_POSSIBLE_CRLF([ \t])/$1/g;
+ 
+       # All other uses of newlines are invalid input.
+-      if ( $header =~ m/$CRLF/ ) {
++      if ( $header =~ m/$ALL_POSSIBLE_CRLF/ ) {
+         # shorten very long values in the diagnostic
+         $header = substr( $header, 0, 72 ) . '...'
+          if ( length $header > 72 );
+
+diff --git a/t/120.header-crlf.t b/t/120.header-crlf.t
+index d6a4dca78c41..7834b77e8022 100644
+--- a/t/120.header-crlf.t
++++ b/t/120.header-crlf.t
+@@ -1,5 +1,5 @@
+ use strict;
+-use Test::More tests => 2;
++use Test::More tests => 9;
+ use Test::Exception;
+ use CGI::Simple;
+ 
+@@ -7,14 +7,26 @@ my $cgi = CGI::Simple->new;
+ 
+ my $CRLF = $cgi->crlf;
+ 
+-is( $cgi->header( '-Test' => "test$CRLF part" ),
+-    "Test: test part"
++my %possible_crlf = (
++    '\n'       => "\n",
++    '\r\n'     => "\r\n",
++    '\015\012' => "\015\012",
++);
++for my $k (sort keys %possible_crlf) {
++    is(
++        $cgi->header( '-Test' => "test$possible_crlf{$k} part" ),
++        "Test: test part"
+         . $CRLF
+         . 'Content-Type: text/html; charset=ISO-8859-1'
+         . $CRLF
+-        . $CRLF
+-);
++        . $CRLF,
++        "header value with $k + space drops the $k and is valid"
++    );
+ 
+-throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
+-qr/Invalid header value contains a newline not followed by whitespace: test="test/,
+-    'invalid CRLF caught';
++    throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}$possible_crlf{$k} part" ) }
++    qr/Invalid header value contains a newline not followed by whitespace: test="test/,
++        'invalid CRLF caught for double ' . $k;
++        throws_ok { $cgi->header( '-Test' => "test$possible_crlf{$k}part" ) }
++        qr/Invalid header value contains a newline not followed by whitespace: test="test/,
++        "invalid $k caught not followed by whitespace";
++}
+-- 
+2.51.0
+
diff -Nru libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch
--- libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch	2022-10-13 23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/patches/cve-2010-4411.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-Author: Mark Stosberg <mark@stosberg.com>
-Origin: http://github.com/markstos/CGI--Simple/commit/daff9ca164a7d88d68b6d4d729331e03e32d00dd
-Origin: http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da
-Subject: [CVE-2010-4411] Port latest header-injection refinement from CGI.pm
-
-See also http://www.openwall.com/lists/oss-security/2011/01/04/9
-
---- a/lib/CGI/Simple.pm
-+++ b/lib/CGI/Simple.pm
-@@ -1011,7 +1011,7 @@
-       $header =~ s/$CRLF(\s)/$1/g;
- 
-       # All other uses of newlines are invalid input.
--      if ( $header =~ m/$CRLF/ ) {
-+      if ($header =~ m/$CRLF|\015|\012/) {
-         # shorten very long values in the diagnostic
-         $header = substr( $header, 0, 72 ) . '...'
-          if ( length $header > 72 );
---- a/t/headers.t
-+++ b/t/headers.t
-@@ -76,3 +76,9 @@
-   'redirect with leading newlines blows up'
- );
- 
-+{
-+    my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>');
-+    my $out;
-+    eval { $out = $cgi->redirect( $cgi->param('t') ) };
-+    like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
-+}
diff -Nru libcgi-simple-perl-1.280/debian/patches/series libcgi-simple-perl-1.280/debian/patches/series
--- libcgi-simple-perl-1.280/debian/patches/series	2022-10-13 23:56:51.000000000 +0200
+++ libcgi-simple-perl-1.280/debian/patches/series	2025-08-29 05:59:56.000000000 +0200
@@ -1,2 +1,2 @@
-cve-2010-4411.patch
 no-shellwords-pl.patch
+Sanitize-all-user-supplied-values-before-inserting-i.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: