Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Dec 2010 13:39:14 -0500
From: Mark Stosberg <mark@...mersault.com>
To: oss-security <oss-security@...ts.openwall.com>
CC: Jan Lieskovsky <jlieskov@...hat.com>, 
 "Steven M. Christey" <coley@...us.mitre.org>,
 Marcela Maslanova <mmaslano@...hat.com>, Petr Pisar <ppisar@...hat.com>, 
 Chris 'BinGOs' Williams <chris@...gosnet.co.uk>,
 Reed Loden <reed@...dloden.com>, 
 Masahiro Yamada <masa141421356@...il.com>,
 Byron Jones <glob@...b.com.au>, Lincoln Stein <lincoln.stein@...il.com>
Subject: Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172
 already assigned for Bugzilla part)

> 
>     Since perl-CGi is different code base than Bugzilla, we suspect a
> new CVE id is required
>     for this issue? Steve, could you please allocate one? (id #1)

CGI.pm is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in CGI.pm depending on they use it.

>     2. Further improvements to handling of newlines embedded in header
> values.
>        An exception is thrown if header values contain invalid newlines.
>        Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
>        Lincoln Stein, Frederic Buclin and Mark Stosberg
> 
>        Chris, Mark, could you please provide more details about the
> issue? Is it
>        related to CVE-2010-3172?

Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary CGI.pm author,
Lincoln Stein. (Now CC'ed).

>        Steve, could you please allocate CVE id for this? (id #2)
> 
>   Yet, back to CVE-2010-3172, Masahiro mentions in [2], that
> perl-CGI-Simple is prone
>   to same deficiency, as CVE-2010-3172 in Bugzilla was:
>   [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
> 
>   Looks, like it was already fixed in perl-CGI-Simple too:
>   [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
> 
>   Relevant perl-CGi-Simple patch:
>   [6]
> https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Note that CGI::Simple also shares the header newline injection issue
with CGI.pm, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:

https://github.com/markstos/CGI--Simple/network

However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.

    Mark

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ