Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 214784 (CVE-2008-1532)

Summary: dev-perl/Perlbal <1.70 crash on zero byte chunked upload when buffered uploads are enabled (CVE-2008-{1532,1652})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: perl, rainhead, robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://search.cpan.org/src/BRADFITZ/Perlbal-1.70/CHANGES
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-03-25 20:17:57 UTC 
http://search.cpan.org/dist/Perlbal/

1.70: 2008-03-08

    -- SECURITY: patch from Jeremey James <jbj@forbidden.co.uk> to not crash
       on zero byte chunked upload when buffered uploads are enabled.

    -- on successful write, update Perlbal::Socket's alive_time, so slowly
       reproxied writes don't timeout the connection and kill it.  Patch
       from Jonty <jonty@last.fm>.  r765

    -- Perl 5.10 support.  Patch from Andy Armstrong <andy@hexten.net>.
       Disclaimer: at least the tests all pass now, but no real-world use yet.
       Should be fine, though.  Please report your success to the mailing list
       and/or brad@danga.com.

    -- Add Include plugin by Eamon Daly <edaly@nextwavemedia.com>; plugin
       allows you to use "INCLUDE = /etc/conf.d/*" or "INCLUDE = /foo.conf"
       to bring in more config; can be nested.

    -- SECURITY: Previously a single upward directory traversal was possible
       when concat get was enabled. This behavior has been fixed in code to
       match with standard file serving.

    -- Fix 'No such pseudo-hash field "high_priority"' issue in Stats plugin
       (Eamon Daly and Jonty Wareing)

    -- Support for "anonymous services", for API callers that really don't
       care what their service is called but just want to get hold of a
       Service object. These aren't really anonymous, but they have suitably
       ugly names that no sane human should ever conflict with them.

    -- add some new methods that make it a little nicer to embed Perlbal
       in another application that uses Danga::Socket. Some refactoring
       was done to avoid duplicate code between the "end-user" way and the
       API way.

    -- Chained selectors.  from Jeremy James <jbj@forbidden.co.uk>.

    -- add "cgilike" plugin which offers a simple API very loosely based on
       mod_perl for handling responses

    -- add HTTPHeaders method set_request_uri so plugins can modify the uri
       being requested

    -- access control test

    -- add option to AccessControl plugin to use observed_ip_string instead

    -- add observed_ip_string method to perlbal sockets, allowing http
       connections to set an observed ip string when an upstream proxy is
       trusted.

    -- add blind_proxy option, which disables appending to the end of the
       X-Forwarded-For header when connections arrive from a trusted proxy.

    -- make socket closing more verbose when Perlbal::DEBUG is set

    -- verify_backend_path configuration option

    -- don't overwrite $^P, allows use of perl debugger on perlbal.


Although the security impact of the two bugs is only "middle", I guess we should update it soon.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 11:56:57 UTC 
Maintainers, please bump as needed. (and fixing whiteboard since it's ~arch only)
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 19:07:53 UTC 
(In reply to comment #1)
> Maintainers, please bump as needed. (and fixing whiteboard since it's ~arch
> only)
> 

*ping*
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-07-06 19:17:14 UTC 
incvs
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 19:59:26 UTC 
thanks, closing.