1, perl-CGI package issues description: ====================================== Masahiro Yamada reported a CRLF injection vulnerability in perl-CGI module, allowing remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL. References: [1] https://bugzilla.mozilla.org/show_bug.cgi?id=600464 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c29 [3] https://github.com/digg/stream/issues#issue/1 [4] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3172 Upstream changeset: [5] http://www2.rbfh.de/cgi/cgit.cgi/perl5.git/commit/?id=84601d63a7e34958da47dad1e61e27cb3bd467d1 Note: New CVE identifier (against [5]) has been requested for the occurrence of this issue in perl-CGI-Simple module, since it is different codebase. 2, perl-CGI-Simple package issues description: ============================================== Masahiro Yamada reported a CRLF injection vulnerability in perl-CGI-Simple module, allowing remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL. References: [1] https://bugzilla.mozilla.org/show_bug.cgi?id=600464 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 [4] https://github.com/digg/stream/issues#issue/1 [5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3172 Upstream changeset: [6] https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 Note: New CVE identifier (against [5]) has been requested for the occurrence of this issue in perl-CGI-Simple module, since it is different codebase.
1, perl-CGI package affected versions: ====================================== This issue affects the versions of the perl package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- The perl-CGI packages, present in Fedora release of 13 and 14 has been already scheduled for update (though they may be present in the -testing repository yet). 2, perl-CGI-Simple package affected versions: ============================================= This issue affects the version of the perl-CGI-Simple package, as shipped with Fedora release of 13 and 14. This issue affects the version of the perl-CGI-Simple package, as present with EPEL-4, EPEL-5 and EPEL-6 repositories. Please fix.
CVE Request: [1] http://www.openwall.com/lists/oss-security/2010/12/01/1 And reply from Mark Stosberg regarding patch completion: ========================================================= > Since perl-CGi is different code base than Bugzilla, we suspect a > > new CVE id is required > > for this issue? Steve, could you please allocate one? (id #1) CGI.pm is used by the Bugzilla code base. However, Bugzilla may not always be vulnerable to issues in CGI.pm depending on they use it. > > 2. Further improvements to handling of newlines embedded in header > > values. > > An exception is thrown if header values contain invalid newlines. > > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux > > Lincoln Stein, Frederic Buclin and Mark Stosberg > > > > Chris, Mark, could you please provide more details about the > > issue? Is it > > related to CVE-2010-3172? Yes, it is. However, later testing found that the issue wasn't completely fixed in 3.50. A new patch has been developed, and is currently pending review and acceptance by the primary CGI.pm author, Lincoln Stein. (Now CC'ed). > > Steve, could you please allocate CVE id for this? (id #2) > > > > Yet, back to CVE-2010-3172, Masahiro mentions in [2], that > > perl-CGI-Simple is prone > > to same deficiency, as CVE-2010-3172 in Bugzilla was: > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 > > > > Looks, like it was already fixed in perl-CGI-Simple too: > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 > > > > Relevant perl-CGi-Simple patch: > > [6] > > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 Note that CGI::Simple also shares the header newline injection issue with CGI.pm, but remains unpatched. I submitted a patch, but it has not been applied, as seen in the Network view: https://github.com/markstos/CGI--Simple/network However, even the patch I submitted is not fully complete, as it mirrors the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm has a final update to address the remaining header injection issue, I'll share the same patch with CGI::Simple. Mark =========================================================== Yet, reply from Reed Loden of Mozilla Security Group: [3] http://www.openwall.com/lists/oss-security/2010/12/01/2
This looks to have been assigned CVE-2010-2761: Name: CVE-2010-2761 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761 Assigned: 20100714 Reference: MLIST:[oss-security] 20101201 CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/1 Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/3 Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/2 Reference: MISC: https://bugzilla.mozilla.org/show_bug.cgi?id=600464 Reference: CONFIRM: http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes Reference: CONFIRM: http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm Reference: CONFIRM: http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1 Reference: CONFIRM: http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html Reference: CONFIRM: https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.
Ahhh... MITRE has this broken down as two issues, the second of which is here: Name: CVE-2010-4410 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410 Assigned: 20101206 Reference: MLIST:[oss-security] 20101201 CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/1 Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/3 Reference: MLIST:[oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Reference: URL: http://openwall.com/lists/oss-security/2010/12/01/2 Reference: CONFIRM: http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes Reference: CONFIRM: http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm Reference: CONFIRM: http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1 Reference: CONFIRM: http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html Reference: BID:45145 Reference: URL: http://www.securityfocus.com/bid/45145 CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172. I'm noting both together as I believe they should have equal affects across affected products (i.e. one won't affect in a place where another doesn't). If that is incorrect, we may need to split this bug into two.
Tom, Kurt, since the CVEs description from c#3 and c#4 can't be split based on package, please take this bug as a master security bug also for perl-CGI-Simple component for now (the bugs were filed sooner than CVEs were assigned [each being for both components :(]). Created perl-CGI-Simple tracking bugs for this issue Affects: fedora-all [bug 658973]
*** Bug 658970 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0558 https://rhn.redhat.com/errata/RHSA-2011-0558.html
Created perl tracking bugs for this issue Affects: fedora-all [bug 743630]
Created perl-CGI tracking bugs for this issue Affects: fedora-all [bug 743629]
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1797 https://rhn.redhat.com/errata/RHSA-2011-1797.html