Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: ken...@xdump.org
Please unblock package collectd [ Reason ] Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 If collection3 is set up(not enabled by default), the following error is sent to logs repeatedly. FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/ Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412" This is not actually assigned as CVE-, but it is unexpected situation. [ Impact ] It doesn't break collectd behavior at all. It only fixes the issue about generation of tons of warning messages about inappropriate usage of param() via bundled web interface utility (collection3). [ Tests ] Not ready for automated test because it need to run collection3 as a CGI. So, I manually tested attached patch. [ Risks ] Low, because very limited reverse dependency and it is only affected when web interface is enabled. % LANG=C apt rdepends collectd collectd Reverse Depends: Replaces: collectd-utils (<< 4.6.1-1~) Recommends: kcollectd Suggests: drraw Suggests: libcollectdclient1 Replaces: collectd-core (<< 4.8.2-1~) Recommends: collectd-utils [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] I've prepared debdiff patch. unblock collectd/5.12.0-7
diff -Nru collectd-5.12.0/debian/changelog collectd-5.12.0/debian/changelog --- collectd-5.12.0/debian/changelog 2021-06-02 00:56:33.000000000 +0900 +++ collectd-5.12.0/debian/changelog 2021-07-14 21:46:02.000000000 +0900 @@ -1,3 +1,10 @@ +collectd (5.12.0-7) unstable; urgency=medium + + * Team upload. + * Fix CGI::param error in collection3 (Closes: 982294) + + -- Kentaro Hayashi <ken...@xdump.org> Wed, 14 Jul 2021 21:46:02 +0900 + collectd (5.12.0-6) unstable; urgency=medium * [b4e7861] collectd-dev: Add missing header files again. diff -Nru collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch --- collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 1970-01-01 09:00:00.000000000 +0900 +++ collectd-5.12.0/debian/patches/cgi-param-in-list-context.patch 2021-07-14 21:46:02.000000000 +0900 @@ -0,0 +1,58 @@ +From: Kentaro Hayashi <ken...@xdump.org> +Subject: Fix CGI::param error in collection3 +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 +Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6 + +When using collection3 as a CGI, the following error is sent to logs repeatedly. +This MR fixes it: + + FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412" + +This is caused by inappropriate usage of param(), +it should be handled as a scalar or should be treated by multi_param() explicitly. + +Closes: #982294 + +ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294 + +--- a/contrib/collection3/lib/Collectd/Graph/Common.pm ++++ b/contrib/collection3/lib/Collectd/Graph/Common.pm +@@ -526,7 +526,7 @@ + for (qw(hostname plugin plugin_instance type type_instance)) + { + my $part = $_; +- my @temp = param ($part); ++ my @temp = multi_param ($part); + if (!@temp) + { + next; +@@ -547,9 +547,9 @@ + sub get_timespan_selection + { + my $ret = 86400; +- if (param ('timespan')) ++ if (scalar param ('timespan')) + { +- my $temp = int (param ('timespan')); ++ my $temp = int (scalar param ('timespan')); + if ($temp && ($temp > 0)) + { + $ret = $temp; +@@ -568,7 +568,7 @@ + $ret{$_} = 0; + } + +- for (param ('hostname')) ++ for (multi_param ('hostname')) + { + my $host = _sanitize_generic_allow_minus ($_); + if (defined ($ret{$host})) +@@ -597,7 +597,7 @@ + $ret{$_} = 0; + } + +- for (param ('plugin')) ++ for (multi_param ('plugin')) + { + if (defined ($ret{$_})) + { diff -Nru collectd-5.12.0/debian/patches/series collectd-5.12.0/debian/patches/series --- collectd-5.12.0/debian/patches/series 2021-06-02 00:56:33.000000000 +0900 +++ collectd-5.12.0/debian/patches/series 2021-07-14 21:46:02.000000000 +0900 @@ -3,3 +3,4 @@ myplugin_includes.patch nagios-debian-paths.patch fix-smart-test +cgi-param-in-list-context.patch
