Date: Wed, 01 Dec 2010 13:39:14 -0500 From: Mark Stosberg <mark@...mersault.com> To: oss-security <oss-security@...ts.openwall.com> CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Marcela Maslanova <mmaslano@...hat.com>, Petr Pisar <ppisar@...hat.com>, Chris 'BinGOs' Williams <chris@...gosnet.co.uk>, Reed Loden <reed@...dloden.com>, Masahiro Yamada <masa141421356@...il.com>, Byron Jones <glob@...b.com.au>, Lincoln Stein <lincoln.stein@...il.com> Subject: Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) > > Since perl-CGi is different code base than Bugzilla, we suspect a > new CVE id is required > for this issue? Steve, could you please allocate one? (id #1) CGI.pm is used by the Bugzilla code base. However, Bugzilla may not always be vulnerable to issues in CGI.pm depending on they use it. > 2. Further improvements to handling of newlines embedded in header > values. > An exception is thrown if header values contain invalid newlines. > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux > Lincoln Stein, Frederic Buclin and Mark Stosberg > > Chris, Mark, could you please provide more details about the > issue? Is it > related to CVE-2010-3172? Yes, it is. However, later testing found that the issue wasn't completely fixed in 3.50. A new patch has been developed, and is currently pending review and acceptance by the primary CGI.pm author, Lincoln Stein. (Now CC'ed). > Steve, could you please allocate CVE id for this? (id #2) > > Yet, back to CVE-2010-3172, Masahiro mentions in , that > perl-CGI-Simple is prone > to same deficiency, as CVE-2010-3172 in Bugzilla was: >  https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 > > Looks, like it was already fixed in perl-CGI-Simple too: >  https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 > > Relevant perl-CGi-Simple patch: >  > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 Note that CGI::Simple also shares the header newline injection issue with CGI.pm, but remains unpatched. I submitted a patch, but it has not been applied, as seen in the Network view: https://github.com/markstos/CGI--Simple/network However, even the patch I submitted is not fully complete, as it mirrors the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm has a final update to address the remaining header injection issue, I'll share the same patch with CGI::Simple. Mark
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ