Red Hat Bugzilla – Bug 658970
perl-CGI-Simple: CRLF injection vulnerability via a crafted URL
Last modified: 2011-01-04 06:16:00 EST
Masahiro Yamada reported a CRLF injection vulnerability in perl-CGI-Simple
module, allowing remote attackers to inject arbitrary HTTP headers and
content, and conduct HTTP response splitting attacks, via a crafted URL.
Note: New CVE identifier (against ) has been requested for the occurrence
of this issue in perl-CGI-Simple module, since it is different codebase.
This issue affects the version of the perl-CGI-Simple package, as shipped
with Fedora release of 13 and 14.
This issue affects the version of the perl-CGI-Simple package, as present
with EPEL-4, EPEL-5 and EPEL-6 repositories.
Created perl-CGI-Simple tracking bugs for this issue
Affects: fedora-all [bug 658973]
And reply from Mark Stosberg regarding patch completion:
> Since perl-CGi is different code base than Bugzilla, we suspect a
> > new CVE id is required
> > for this issue? Steve, could you please allocate one? (id #1)
CGI.pm is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in CGI.pm depending on they use it.
> > 2. Further improvements to handling of newlines embedded in header
> > values.
> > An exception is thrown if header values contain invalid newlines.
> > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
> > Lincoln Stein, Frederic Buclin and Mark Stosberg
> > Chris, Mark, could you please provide more details about the
> > issue? Is it
> > related to CVE-2010-3172?
Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary CGI.pm author,
Lincoln Stein. (Now CC'ed).
> > Steve, could you please allocate CVE id for this? (id #2)
> > Yet, back to CVE-2010-3172, Masahiro mentions in , that
> > perl-CGI-Simple is prone
> > to same deficiency, as CVE-2010-3172 in Bugzilla was:
> >  https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
> > Looks, like it was already fixed in perl-CGI-Simple too:
> >  https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
> > Relevant perl-CGi-Simple patch:
> > 
> > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380
Note that CGI::Simple also shares the header newline injection issue
with CGI.pm, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:
However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.
Yet, reply from Reed Loden of Mozilla Security Group:
Tom, regarding the already scheduled Fedora updates -- not
sure, how to proceed now regarding the incomplete patch / change
mention above? Would we rather wait a bit and fix the issue
completely later or fix it 'two times'?
Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
Note: The facts above arised only very recently.
Jan, seems to make sense to wait. I'll leave that update in testing and obsolete it with the next update. When the final patches are ready, can you post them here?
Sure, will keep an eye on the issue and post the final patch here once known.
Is this CVE-2010-4410?
Jan, is there a proper set of patches yet?
(In reply to comment #7)
> Jan, is there a proper set of patches yet?
Not sure. There was a query from Ludwig Nussel:
regarding status of perl-CGI without reply.
I can see the updated v1.113 perl-CGI-Simple / CPAN's CGI-Simple module
version (released on 2010-12-27):
but not sure if this is the definitive one addressing both CVE issues.
Asked Mark Stosberg and Andy Armstrong:
for further background details / patches clarification (you were Cc-ed).
(In reply to comment #6)
> Is this CVE-2010-4410?
Yes, this bug was originally intended to be placeholder for both
issues in perl-CGI-Simple component. The particular bugs (#658976
and #658970) were filed sooner than CVE identifiers were assigned.
Unfortunately, both components (perl-CGI and perl-CGI-Simple) were
merged in the description for both of the issues.
So needed to merge #658970 and #658976 into one. Please take #658976
as the master security bug for both issues and both components,
and #658973 as the perl-CGI-Simple tracker for Fedora from now.
This one will be closed as duplicate of #658976.
Apologize for the turmoil, Jan.
*** This bug has been marked as a duplicate of bug 658976 ***