Bug 658970 - perl-CGI-Simple: CRLF injection vulnerability via a crafted URL
Summary: perl-CGI-Simple: CRLF injection vulnerability via a crafted URL
Status: CLOSED DUPLICATE of bug 658976
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2010-12-01 18:00 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-01-04 11:16:00 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-12-01 18:00:27 UTC
Masahiro Yamada reported a CRLF injection vulnerability in perl-CGI-Simple
module, allowing remote attackers to inject arbitrary HTTP headers and 
content, and conduct HTTP response splitting attacks, via a crafted URL.  

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=600464
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
[4] https://github.com/digg/stream/issues#issue/1
[5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3172

Upstream changeset:
[6] https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Note: New CVE identifier (against [5]) has been requested for the occurrence 
      of this issue in perl-CGI-Simple module, since it is different codebase.

Comment 1 Jan Lieskovsky 2010-12-01 18:04:05 UTC
This issue affects the version of the perl-CGI-Simple package, as shipped
with Fedora release of 13 and 14.

This issue affects the version of the perl-CGI-Simple package, as present
with EPEL-4, EPEL-5 and EPEL-6 repositories.

Please fix.

Comment 2 Jan Lieskovsky 2010-12-01 18:05:20 UTC
Created perl-CGI-Simple tracking bugs for this issue

Affects: fedora-all [bug 658973]

Comment 3 Jan Lieskovsky 2010-12-01 19:20:45 UTC
CVE Request:
[1] http://www.openwall.com/lists/oss-security/2010/12/01/1

And reply from Mark Stosberg regarding patch completion:

>   Since perl-CGi is different code base than Bugzilla, we suspect a
> > new CVE id is required
> >     for this issue? Steve, could you please allocate one? (id #1)

CGI.pm is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in CGI.pm depending on they use it.

> >     2. Further improvements to handling of newlines embedded in header
> > values.
> >        An exception is thrown if header values contain invalid newlines.
> >        Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
> >        Lincoln Stein, Frederic Buclin and Mark Stosberg
> > 
> >        Chris, Mark, could you please provide more details about the
> > issue? Is it
> >        related to CVE-2010-3172?

Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary CGI.pm author,
Lincoln Stein. (Now CC'ed).

> >        Steve, could you please allocate CVE id for this? (id #2)
> > 
> >   Yet, back to CVE-2010-3172, Masahiro mentions in [2], that
> > perl-CGI-Simple is prone
> >   to same deficiency, as CVE-2010-3172 in Bugzilla was:
> >   [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
> > 
> >   Looks, like it was already fixed in perl-CGI-Simple too:
> >   [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
> > 
> >   Relevant perl-CGi-Simple patch:
> >   [6]
> > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Note that CGI::Simple also shares the header newline injection issue
with CGI.pm, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:


However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.



Yet, reply from Reed Loden of Mozilla Security Group:
[3] http://www.openwall.com/lists/oss-security/2010/12/01/2


Tom, regarding the already scheduled Fedora updates -- not
sure, how to proceed now regarding the incomplete patch / change
mention above? Would we rather wait a bit and fix the issue 
completely later or fix it 'two times'?

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Note: The facts above arised only very recently.

Comment 4 Tom "spot" Callaway 2010-12-01 19:25:47 UTC
Jan, seems to make sense to wait. I'll leave that update in testing and obsolete it with the next update. When the final patches are ready, can you post them here?

Comment 5 Jan Lieskovsky 2010-12-01 19:34:48 UTC
Sure, will keep an eye on the issue and post the final patch here once known.

Comment 6 Kurt Seifried 2010-12-09 00:59:29 UTC
Is this CVE-2010-4410?

Comment 7 Tom "spot" Callaway 2011-01-03 15:42:15 UTC
Jan, is there a proper set of patches yet?

Comment 8 Jan Lieskovsky 2011-01-04 10:16:19 UTC
Hi Tom,

(In reply to comment #7)
> Jan, is there a proper set of patches yet?

Not sure. There was a query from Ludwig Nussel:
[1] http://www.openwall.com/lists/oss-security/2010/12/16/4

regarding status of perl-CGI without reply. 

I can see the updated v1.113 perl-CGI-Simple / CPAN's CGI-Simple module
version (released on 2010-12-27):
[2] http://search.cpan.org/dist/CGI-Simple/

but not sure if this is the definitive one addressing both CVE issues.

Asked Mark Stosberg and Andy Armstrong:
[3] http://www.openwall.com/lists/oss-security/2011/01/04/5

for further background details / patches clarification (you were Cc-ed).

HTH, Jan.

Comment 9 Jan Lieskovsky 2011-01-04 11:16:00 UTC
(In reply to comment #6)
> Is this CVE-2010-4410?

Yes, this bug was originally intended to be placeholder for both
issues in perl-CGI-Simple component. The particular bugs (#658976
and #658970) were filed sooner than CVE identifiers were assigned.

Unfortunately, both components (perl-CGI and perl-CGI-Simple) were
merged in the description for both of the issues.

So needed to merge #658970 and #658976 into one. Please take #658976
as the master security bug for both issues and both components,
and #658973 as the perl-CGI-Simple tracker for Fedora from now.

This one will be closed as duplicate of #658976.

Apologize for the turmoil, Jan.

*** This bug has been marked as a duplicate of bug 658976 ***

Note You need to log in before you can comment on or make changes to this bug.