[Bug 658970] perl-CGI-Simple: CRLF injection vulnerability via a crafted URL

bugzilla at redhat.com bugzilla at redhat.com
Wed Dec 1 19:20:48 UTC 2010 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=658970

--- Comment #3 from Jan Lieskovsky <jlieskov at redhat.com> 2010-12-01 14:20:45 EST ---
CVE Request:
[1] http://www.openwall.com/lists/oss-security/2010/12/01/1

And reply from Mark Stosberg regarding patch completion:
=========================================================

>   Since perl-CGi is different code base than Bugzilla, we suspect a
> > new CVE id is required
> >     for this issue? Steve, could you please allocate one? (id #1)

CGI.pm is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in CGI.pm depending on they use it.

> >     2. Further improvements to handling of newlines embedded in header
> > values.
> >        An exception is thrown if header values contain invalid newlines.
> >        Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
> >        Lincoln Stein, Frederic Buclin and Mark Stosberg
> > 
> >        Chris, Mark, could you please provide more details about the
> > issue? Is it
> >        related to CVE-2010-3172?

Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary CGI.pm author,
Lincoln Stein. (Now CC'ed).

> >        Steve, could you please allocate CVE id for this? (id #2)
> > 
> >   Yet, back to CVE-2010-3172, Masahiro mentions in [2], that
> > perl-CGI-Simple is prone
> >   to same deficiency, as CVE-2010-3172 in Bugzilla was:
> >   [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
> > 
> >   Looks, like it was already fixed in perl-CGI-Simple too:
> >   [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
> > 
> >   Relevant perl-CGi-Simple patch:
> >   [6]
> > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Note that CGI::Simple also shares the header newline injection issue
with CGI.pm, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:

https://github.com/markstos/CGI--Simple/network

However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.

    Mark

===========================================================

Yet, reply from Reed Loden of Mozilla Security Group:
[3] http://www.openwall.com/lists/oss-security/2010/12/01/2

============================================================

Tom, regarding the already scheduled Fedora updates -- not
sure, how to proceed now regarding the incomplete patch / change
mention above? Would we rather wait a bit and fix the issue 
completely later or fix it 'two times'?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Note: The facts above arised only very recently.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the perl-devel mailing list