Masahiro Yamada reported a CRLF injection vulnerability in perl-CGI-Simple module, allowing remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL. References: [1] https://bugzilla.mozilla.org/show_bug.cgi?id=600464 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 [4] https://github.com/digg/stream/issues#issue/1 [5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3172 Upstream changeset: [6] https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 Note: New CVE identifier (against [5]) has been requested for the occurrence of this issue in perl-CGI-Simple module, since it is different codebase.
This issue affects the version of the perl-CGI-Simple package, as shipped with Fedora release of 13 and 14. This issue affects the version of the perl-CGI-Simple package, as present with EPEL-4, EPEL-5 and EPEL-6 repositories. Please fix.
Created perl-CGI-Simple tracking bugs for this issue Affects: fedora-all [bug 658973]
CVE Request: [1] http://www.openwall.com/lists/oss-security/2010/12/01/1 And reply from Mark Stosberg regarding patch completion: ========================================================= > Since perl-CGi is different code base than Bugzilla, we suspect a > > new CVE id is required > > for this issue? Steve, could you please allocate one? (id #1) CGI.pm is used by the Bugzilla code base. However, Bugzilla may not always be vulnerable to issues in CGI.pm depending on they use it. > > 2. Further improvements to handling of newlines embedded in header > > values. > > An exception is thrown if header values contain invalid newlines. > > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux > > Lincoln Stein, Frederic Buclin and Mark Stosberg > > > > Chris, Mark, could you please provide more details about the > > issue? Is it > > related to CVE-2010-3172? Yes, it is. However, later testing found that the issue wasn't completely fixed in 3.50. A new patch has been developed, and is currently pending review and acceptance by the primary CGI.pm author, Lincoln Stein. (Now CC'ed). > > Steve, could you please allocate CVE id for this? (id #2) > > > > Yet, back to CVE-2010-3172, Masahiro mentions in [2], that > > perl-CGI-Simple is prone > > to same deficiency, as CVE-2010-3172 in Bugzilla was: > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 > > > > Looks, like it was already fixed in perl-CGI-Simple too: > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 > > > > Relevant perl-CGi-Simple patch: > > [6] > > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 Note that CGI::Simple also shares the header newline injection issue with CGI.pm, but remains unpatched. I submitted a patch, but it has not been applied, as seen in the Network view: https://github.com/markstos/CGI--Simple/network However, even the patch I submitted is not fully complete, as it mirrors the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm has a final update to address the remaining header injection issue, I'll share the same patch with CGI::Simple. Mark =========================================================== Yet, reply from Reed Loden of Mozilla Security Group: [3] http://www.openwall.com/lists/oss-security/2010/12/01/2 ============================================================ Tom, regarding the already scheduled Fedora updates -- not sure, how to proceed now regarding the incomplete patch / change mention above? Would we rather wait a bit and fix the issue completely later or fix it 'two times'? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Note: The facts above arised only very recently.
Jan, seems to make sense to wait. I'll leave that update in testing and obsolete it with the next update. When the final patches are ready, can you post them here?
Sure, will keep an eye on the issue and post the final patch here once known.
Is this CVE-2010-4410?
Jan, is there a proper set of patches yet?
Hi Tom, (In reply to comment #7) > Jan, is there a proper set of patches yet? Not sure. There was a query from Ludwig Nussel: [1] http://www.openwall.com/lists/oss-security/2010/12/16/4 regarding status of perl-CGI without reply. I can see the updated v1.113 perl-CGI-Simple / CPAN's CGI-Simple module version (released on 2010-12-27): [2] http://search.cpan.org/dist/CGI-Simple/ but not sure if this is the definitive one addressing both CVE issues. Asked Mark Stosberg and Andy Armstrong: [3] http://www.openwall.com/lists/oss-security/2011/01/04/5 for further background details / patches clarification (you were Cc-ed). HTH, Jan.
(In reply to comment #6) > Is this CVE-2010-4410? Yes, this bug was originally intended to be placeholder for both issues in perl-CGI-Simple component. The particular bugs (#658976 and #658970) were filed sooner than CVE identifiers were assigned. Unfortunately, both components (perl-CGI and perl-CGI-Simple) were merged in the description for both of the issues. So needed to merge #658970 and #658976 into one. Please take #658976 as the master security bug for both issues and both components, and #658973 as the perl-CGI-Simple tracker for Fedora from now. This one will be closed as duplicate of #658976. Apologize for the turmoil, Jan. *** This bug has been marked as a duplicate of bug 658976 ***