Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Dec 2010 13:39:14 -0500
From: Mark Stosberg <>
To: oss-security <>
CC: Jan Lieskovsky <>, 
 "Steven M. Christey" <>,
 Marcela Maslanova <>, Petr Pisar <>, 
 Chris 'BinGOs' Williams <>,
 Reed Loden <>, 
 Masahiro Yamada <>,
 Byron Jones <>, Lincoln Stein <>
Subject: Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172
 already assigned for Bugzilla part)

>     Since perl-CGi is different code base than Bugzilla, we suspect a
> new CVE id is required
>     for this issue? Steve, could you please allocate one? (id #1) is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in depending on they use it.

>     2. Further improvements to handling of newlines embedded in header
> values.
>        An exception is thrown if header values contain invalid newlines.
>        Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
>        Lincoln Stein, Frederic Buclin and Mark Stosberg
>        Chris, Mark, could you please provide more details about the
> issue? Is it
>        related to CVE-2010-3172?

Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary author,
Lincoln Stein. (Now CC'ed).

>        Steve, could you please allocate CVE id for this? (id #2)
>   Yet, back to CVE-2010-3172, Masahiro mentions in [2], that
> perl-CGI-Simple is prone
>   to same deficiency, as CVE-2010-3172 in Bugzilla was:
>   [4]
>   Looks, like it was already fixed in perl-CGI-Simple too:
>   [5]
>   Relevant perl-CGi-Simple patch:
>   [6]

Note that CGI::Simple also shares the header newline injection issue
with, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:

However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of, and thus also needs further work. Once
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ