Bug 658976 - (CVE-2010-2761, CVE-2010-4410) perl-CGI, perl-CGI-Simple: CVE-2010-2761 - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting
perl-CGI, perl-CGI-Simple: CVE-2010-2761 - hardcoded MIME boundary value for ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20101110,repor...
: Security
: 658970 (view as bug list)
Depends On: 657950 658973 671352 702389 743626 743627 743629 743630
Blocks: 735402
  Show dependency treegraph
 
Reported: 2010-12-01 13:13 EST by Jan Lieskovsky
Modified: 2013-05-08 13:57 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-08 13:57:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-12-01 13:13:11 EST
1, perl-CGI package issues description:
======================================

Masahiro Yamada reported a CRLF injection vulnerability in perl-CGI
module, allowing remote attackers to inject arbitrary HTTP headers and 
content, and conduct HTTP response splitting attacks, via a crafted URL.  

References:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=600464
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c29
[3] https://github.com/digg/stream/issues#issue/1
[4] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3172

Upstream changeset:
[5] http://www2.rbfh.de/cgi/cgit.cgi/perl5.git/commit/?id=84601d63a7e34958da47dad1e61e27cb3bd467d1

Note: New CVE identifier (against [5]) has been requested for the occurrence 
      of this issue in perl-CGI-Simple module, since it is different codebase.

2, perl-CGI-Simple package issues description:
==============================================

Masahiro Yamada reported a CRLF injection vulnerability in perl-CGI-Simple
module, allowing remote attackers to inject arbitrary HTTP headers and 
content, and conduct HTTP response splitting attacks, via a crafted URL.  

References:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=600464
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
[4] https://github.com/digg/stream/issues#issue/1
[5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3172

Upstream changeset:
[6]
https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Note: New CVE identifier (against [5]) has been requested for the occurrence 
      of this issue in perl-CGI-Simple module, since it is different codebase.
Comment 1 Jan Lieskovsky 2010-12-01 14:09:45 EST
1, perl-CGI package affected versions:
======================================

This issue affects the versions of the perl package, as shipped
with Red Hat Enterprise Linux 4, 5, and 6.

--

The perl-CGI packages, present in Fedora release of 13 and 14
has been already scheduled for update (though they may be present
in the -testing repository yet).

2, perl-CGI-Simple package affected versions:
=============================================

This issue affects the version of the perl-CGI-Simple package, as shipped
with Fedora release of 13 and 14.

This issue affects the version of the perl-CGI-Simple package, as present
with EPEL-4, EPEL-5 and EPEL-6 repositories.

Please fix.
Comment 2 Jan Lieskovsky 2010-12-01 14:16:58 EST
CVE Request:
[1] http://www.openwall.com/lists/oss-security/2010/12/01/1

And reply from Mark Stosberg regarding patch completion:
=========================================================

>   Since perl-CGi is different code base than Bugzilla, we suspect a
> > new CVE id is required
> >     for this issue? Steve, could you please allocate one? (id #1)

CGI.pm is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in CGI.pm depending on they use it.

> >     2. Further improvements to handling of newlines embedded in header
> > values.
> >        An exception is thrown if header values contain invalid newlines.
> >        Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
> >        Lincoln Stein, Frederic Buclin and Mark Stosberg
> > 
> >        Chris, Mark, could you please provide more details about the
> > issue? Is it
> >        related to CVE-2010-3172?

Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary CGI.pm author,
Lincoln Stein. (Now CC'ed).

> >        Steve, could you please allocate CVE id for this? (id #2)
> > 
> >   Yet, back to CVE-2010-3172, Masahiro mentions in [2], that
> > perl-CGI-Simple is prone
> >   to same deficiency, as CVE-2010-3172 in Bugzilla was:
> >   [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
> > 
> >   Looks, like it was already fixed in perl-CGI-Simple too:
> >   [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
> > 
> >   Relevant perl-CGi-Simple patch:
> >   [6]
> > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Note that CGI::Simple also shares the header newline injection issue
with CGI.pm, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:

https://github.com/markstos/CGI--Simple/network

However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.

    Mark

===========================================================

Yet, reply from Reed Loden of Mozilla Security Group:
[3] http://www.openwall.com/lists/oss-security/2010/12/01/2
Comment 3 Vincent Danen 2010-12-07 17:17:01 EST
This looks to have been assigned CVE-2010-2761:

Name: CVE-2010-2761
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
Assigned: 20100714
Reference: MLIST:[oss-security] 20101201 CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)
Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/1
Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)
Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/3
Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)
Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/2
Reference: MISC: https://bugzilla.mozilla.org/show_bug.cgi?id=600464
Reference: CONFIRM: http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
Reference: CONFIRM: http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm
Reference: CONFIRM: http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1
Reference: CONFIRM: http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html
Reference: CONFIRM: https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

The multipart_init function in (1) CGI.pm before 3.50 and (2)
Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of
the MIME boundary string in multipart/x-mixed-replace content, which
allows remote attackers to inject arbitrary HTTP headers and conduct
HTTP response splitting attacks via crafted input that contains this
value, a different vulnerability than CVE-2010-3172.
Comment 4 Vincent Danen 2010-12-07 17:26:40 EST
Ahhh... MITRE has this broken down as two issues, the second of which is here:

Name: CVE-2010-4410
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410
Assigned: 20101206
Reference: MLIST:[oss-security] 20101201 CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)
Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/1
Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)
Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/3
Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)
Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/2
Reference: CONFIRM: http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
Reference: CONFIRM: http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm
Reference: CONFIRM: http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1
Reference: CONFIRM: http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html
Reference: BID:45145
Reference: URL: http://www.securityfocus.com/bid/45145

CRLF injection vulnerability in the header function in (1) CGI.pm
before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via vectors related to non-whitespace
characters preceded by newline characters, a different vulnerability
than CVE-2010-2761 and CVE-2010-3172.


I'm noting both together as I believe they should have equal affects across affected products (i.e. one won't affect in a place where another doesn't).  If that is incorrect, we may need to split this bug into two.
Comment 7 Jan Lieskovsky 2011-01-04 06:08:54 EST
Tom, Kurt,

  since the CVEs description from c#3 and c#4 can't be split based
on package, please take this bug as a master security bug also
for perl-CGI-Simple component for now (the bugs were filed sooner
than CVEs were assigned [each being for both components :(]).

Created perl-CGI-Simple tracking bugs for this issue

Affects: fedora-all [bug 658973]
Comment 8 Jan Lieskovsky 2011-01-04 06:16:00 EST
*** Bug 658970 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2011-05-19 07:37:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0558 https://rhn.redhat.com/errata/RHSA-2011-0558.html
Comment 17 Ramon de C Valle 2011-10-05 10:55:30 EDT
Created perl tracking bugs for this issue

Affects: fedora-all [bug 743630]
Comment 18 Ramon de C Valle 2011-10-05 10:55:37 EDT
Created perl-CGI tracking bugs for this issue

Affects: fedora-all [bug 743629]
Comment 24 errata-xmlrpc 2011-12-08 14:06:17 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1797 https://rhn.redhat.com/errata/RHSA-2011-1797.html

Note You need to log in before you can comment on or make changes to this bug.