-------------------------------------------------------------------------- Debian Security Advisory DSA 371-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman August 11th, 2003 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : perl Vulnerability : cross-site scripting Problem-Type : remote Debian-specific: no CVE Ids : CAN-2003-0615 A cross-site scripting vulnerability exists in the start_form() function in CGI.pm. This function outputs user-controlled data into the action attribute of a form element without sanitizing it, allowing a remote user to execute arbitrary web script within the context of the generated page. Any program which uses this function in the CGI.pm module may be affected.
rac already posted a "pre-GLSA" here after I found this isse on Debian's security site. Emerging the latest CGI.pm ebuild will fix it, versus having everyone recompile the clunker of a package perl can be. http://forums.gentoo.org/viewtopic.php?t=74904
Please note: This is an additional bug, not covered until CGI-3.0 hit portage a few minutes ago. See bug 26785 for more.
Rac - this is *another* cross-site scripting fix. I've posted CGI-3.0 which covers it. See http://search.cpan.org/src/LDS/CGI.pm-3.00/cgi_docs.html for version summary.
How should this be handled? I remember we had a similar issue with Safe a while ago. Best would be a new revision of perl that pulls the updated cgi.pm the same way as it's done with safe.
Re: comment #2 changing resolution to FIXED