348342 – <dev-perl/Cgi-Simple-1.113: HTTP Response Splitting Vulnerability (CVE-2010-2761)

Bug 348342 - <dev-perl/Cgi-Simple-1.113: HTTP Response Splitting Vulnerability (CVE-2010-2761)

Summary: <dev-perl/Cgi-Simple-1.113: HTTP Response Splitting Vulnerability (CVE-2010-2...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/AndyA/CGI--Simple/...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-12-10 07:01 UTC by Tim Sammut (RETIRED)
Modified:	2011-01-10 19:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2010-12-10 07:01:02 UTC

From http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761: 

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172. 

Upstream commit appears to be at $URL.

Comment 1 Torsten Veller (RETIRED) gentoo-dev

2010-12-27 18:07:02 UTC

Fixed in =dev-perl/Cgi-Simple-1.113

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2010-12-27 18:30:10 UTC

(In reply to comment #1)
> Fixed in =dev-perl/Cgi-Simple-1.113
> 

Thank you.

Arches, please test and mark stable:
=dev-perl/Cgi-Simple-1.113
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

Comment 3 Torsten Veller (RETIRED) gentoo-dev

2010-12-28 08:42:16 UTC

Stable on x86 and amd64

Comment 4 Raúl Porcel (RETIRED) gentoo-dev

2011-01-01 15:38:02 UTC

alpha/ia64/sparc stable

Comment 5 Brent Baude (RETIRED) gentoo-dev

2011-01-09 14:08:51 UTC

ppc done

Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-01-10 10:50:05 UTC

ppc64 stable.

@security: last arch done, into your hands

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2011-01-10 19:11:35 UTC

Vote: No.

Comment 8 Tim Sammut (RETIRED) gentoo-dev

2011-01-10 19:35:57 UTC

No too, closing noglsa. Thanks, folks.