Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Dec 2010 18:28:55 +0100
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC: oss-security <>,
        Marcela Maslanova <>,
        Petr Pisar <>,
        "Chris 'BinGOs' Williams" <>,
        Reed Loden <>,
        Masahiro Yamada <>,
        Byron Jones <>, Mark Stosberg <>
Subject: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172
 already assigned for Bugzilla part)

Hi Steve, vendors,

    Masahiro Yamada reported:

    the following deficiency (from [2]):
    Search result of b.m.o. does not escape "--------- =_aaaaaaaaaa0": it is used
    as boudary of multipart/x-mixed-replace.

    Attackers can inject boundary of multipart/x-mixed-replace.
    It may be able to be used for HTTP Header injection.

    It has been fixed in new perl-CGI v3.50 upstream version via the following commit:

    The Changelog from [3] mentions:
     1. The MIME boundary in multipart_init is now random
        Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg

     Since perl-CGi is different code base than Bugzilla, we suspect a new CVE id is required
     for this issue? Steve, could you please allocate one? (id #1)

     2. Further improvements to handling of newlines embedded in header values.
        An exception is thrown if header values contain invalid newlines.
        Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
        Lincoln Stein, Frederic Buclin and Mark Stosberg

        Chris, Mark, could you please provide more details about the issue? Is it
        related to CVE-2010-3172?

        Steve, could you please allocate CVE id for this? (id #2)

   Yet, back to CVE-2010-3172, Masahiro mentions in [2], that perl-CGI-Simple is prone
   to same deficiency, as CVE-2010-3172 in Bugzilla was:

   Looks, like it was already fixed in perl-CGI-Simple too:

   Relevant perl-CGi-Simple patch:

   Steve, could you allocate new CVE id for this issue? (id #3)

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ