Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=658970 --- Comment #3 from Jan Lieskovsky <jlieskov@xxxxxxxxxx> 2010-12-01 14:20:45 EST --- CVE Request: [1] http://www.openwall.com/lists/oss-security/2010/12/01/1 And reply from Mark Stosberg regarding patch completion: ========================================================= > Since perl-CGi is different code base than Bugzilla, we suspect a > > new CVE id is required > > for this issue? Steve, could you please allocate one? (id #1) CGI.pm is used by the Bugzilla code base. However, Bugzilla may not always be vulnerable to issues in CGI.pm depending on they use it. > > 2. Further improvements to handling of newlines embedded in header > > values. > > An exception is thrown if header values contain invalid newlines. > > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux > > Lincoln Stein, Frederic Buclin and Mark Stosberg > > > > Chris, Mark, could you please provide more details about the > > issue? Is it > > related to CVE-2010-3172? Yes, it is. However, later testing found that the issue wasn't completely fixed in 3.50. A new patch has been developed, and is currently pending review and acceptance by the primary CGI.pm author, Lincoln Stein. (Now CC'ed). > > Steve, could you please allocate CVE id for this? (id #2) > > > > Yet, back to CVE-2010-3172, Masahiro mentions in [2], that > > perl-CGI-Simple is prone > > to same deficiency, as CVE-2010-3172 in Bugzilla was: > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 > > > > Looks, like it was already fixed in perl-CGI-Simple too: > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 > > > > Relevant perl-CGi-Simple patch: > > [6] > > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 Note that CGI::Simple also shares the header newline injection issue with CGI.pm, but remains unpatched. I submitted a patch, but it has not been applied, as seen in the Network view: https://github.com/markstos/CGI--Simple/network However, even the patch I submitted is not fully complete, as it mirrors the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm has a final update to address the remaining header injection issue, I'll share the same patch with CGI::Simple. Mark =========================================================== Yet, reply from Reed Loden of Mozilla Security Group: [3] http://www.openwall.com/lists/oss-security/2010/12/01/2 ============================================================ Tom, regarding the already scheduled Fedora updates -- not sure, how to proceed now regarding the incomplete patch / change mention above? Would we rather wait a bit and fix the issue completely later or fix it 'two times'? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Note: The facts above arised only very recently. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel