Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 351699 (CVE-2010-4411) - <perl-core/CGI-3.510: HTTP header injection and response splitting (CVE-2010-4411)
Summary: <perl-core/CGI-3.510: HTTP header injection and response splitting (CVE-2010-...
Status: RESOLVED FIXED
Alias: CVE-2010-4411
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://openwall.com/lists/oss-securit...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-14 21:19 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-10-08 22:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (perl-5.12.2-r6:20110115-142144.log,788.47 KB, text/plain)
2011-01-15 14:42 UTC, Agostino Sarubbo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-14 21:19:39 UTC
Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-14 21:21:50 UTC
Note: I'm not sure about the Gentoo package name, it might be dev-perl/Cgi-Simple :-/
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2011-01-15 09:54:16 UTC
Fixed in

=dev-lang/perl-5.12.2-r6
=virtual/perl-CGI-3.510
=perl-core/CGI-3.510
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-15 10:07:24 UTC
(In reply to comment #2)
> =dev-lang/perl-5.12.2-r6
> =virtual/perl-CGI-3.510
> =perl-core/CGI-3.510

Arches, please test and stabilize the above.
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-15 14:29:30 UTC
ppc/ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2011-01-15 14:42:38 UTC
Created attachment 259925 [details]
Build log

On amd64 is ok, but i see:

/usr/share/man/man1/pl2pm.1
  /usr/share/man/man1/prove.1
  /usr/share/man/man1/ptar.1
  /usr/share/man/man1/ptardiff.1

no documentation in utils/cpanp-run-perl

  /usr/share/man/man1/cpanp.1
  /usr/share/man/man1/cpan2dist.1

and

installhtml: ./pod/perlhack.pod: cannot resolve L<writemain> in paragraph 125.
installhtml: ./pod/perlhack.pod: cannot resolve L<Test Anything Protocol|TAP> in paragraph 455.

/usr/share/man/man1/cpanp-run-perl.1 does not exist!

>>> Completed installing perl-5.12.2-r6 into /tmp/portage/dev-lang/perl-5.12.2-r6/image/


What about this?
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2011-01-15 17:55:08 UTC
amd64 done

I couldn't reproduce the warnings but they don't seem serious anyway
Comment 7 David Abbott (RETIRED) gentoo-dev 2011-01-16 02:03:11 UTC
Tested on x86, all good here.
Comment 8 Agostino Sarubbo gentoo-dev 2011-01-16 13:08:37 UTC
(In reply to comment #7)
> Tested on x86, all good here.
> 

+1
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-18 10:01:03 UTC
stable x86, thanks David and Agostino
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-18 17:45:33 UTC
Stable for HPPA.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-01-22 11:18:54 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-01-22 21:33:19 UTC
Thanks, everyone.

GLSA Vote: yes.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:41:58 UTC
Thanks tove!

GLSA vote: NO.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 22:47:45 UTC
GLSA vote: NO, closing [noglsa].