864895 – (CVE-2013-7329) VUL-0: CVE-2013-7329: perl-CGI-Application: information disclosure flaw

Bug 864895 (CVE-2013-7329) - VUL-0: CVE-2013-7329: perl-CGI-Application: information disclosure flaw

Summary: VUL-0: CVE-2013-7329: perl-CGI-Application: information disclosure flaw

Status:	RESOLVED FIXED

Alias:	CVE-2013-7329

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-03-06
Assignee:	Christopher Hofmann
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/96439/
Whiteboard:	maint:running:56349:moderate CVSSv2:R...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-02-20 15:07 UTC by Victor Pereira
Modified:	2016-09-08 20:22 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-02-20 15:07:03 UTC

CVE-2013-7329

It was reported [1],[2] that the CGI::Application perl module suffered from a flaw where, in certain cases, it would unexpectedly dump a complete set of web query data and server environment information as an error page.  This could allow unintended disclosure of sensitive information.

A suggested fix is available [3] and the commit that caused the problem [4] was most likely introduced in version 4.19.


[1] https://rt.cpan.org/Public/Bug/Display.html?id=84403
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739505
[3] https://github.com/markstos/CGI--Application/pull/15
[4] https://github.com/markstos/CGI--Application/commit/61d327646f01fe


References:
http://comments.gmane.org/gmane.comp.security.oss.general/12180
https://bugzilla.redhat.com/show_bug.cgi?id=1067180
https://github.com/markstos/CGI--Application/commit/61d327646f01fe
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739505

Comment 1 Swamp Workflow Management 2014-02-20 15:09:13 UTC

The SWAMPID for this issue is 56349.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 2 SMASH SMASH 2014-02-20 15:10:12 UTC

Affected packages:

SLE-11-SP3: perl-CGI-Application
SLE-11-SP2: perl-CGI-Application
SLE-10-SP3-TERADATA: perl-CGI-Application

Comment 3 Swamp Workflow Management 2014-02-20 23:02:11 UTC

bugbot adjusting priority

Comment 4 Marcus Meissner 2014-02-27 16:38:11 UTC

perl-CGI-Application is 4.20 in SLE11, and already includes the fix.

its only shipped on SLE11 SP3 SDK, no other products.

fixed upstream since august 2008, so opensuse likely also fixed.

-> done