Package: release.debian.org Control: affects -1 + src:awstats X-Debbugs-Cc: [email protected] User: [email protected] Usertags: pu Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Severity: normal
[ Reason ] This fixes CVE-2025-63261: AWStats 8.0 is vulnerable to Command Injection via the open function. [ Impact ] In some situations, mostly concerning web hosting panels, a malicious user with write privileges to the local filesystem may run arbitrary commands, possibly as a different awstats system user. [ Tests ]I manually installed awstats on bookworm and ensured stats were still correctly generated.
I installed and tested the same fix for trixie: https://bugs.debian.org/1132727 The same fix was published to bullseye-lts and buster-elts last month, no issues reported (DLA-4509-1, ELA-1662-1). I ran common Debian tests through debusine: https://debusine.debian.net/debian/developers/work-request/555885/ [ Risks ] The fix is trivial and is a textbook example of insecure old-style Perl open, causing confusion between a filename with a trailing '|' and a request to pipe input from arbitrary commands: https://perldoc.perl.org/functions/open#Specifying-mode-and-filename-as-a-single-argument https://perldoc.perl.org/functions/open#Whitespace-and-special-characters-in-the-filename-argument [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Added CVE-2025-63261.patch with a one-liner fix.
diff -Nru awstats-7.8/debian/changelog awstats-7.8/debian/changelog --- awstats-7.8/debian/changelog 2023-10-10 02:04:39.000000000 +0200 +++ awstats-7.8/debian/changelog 2026-04-04 19:47:59.000000000 +0200 @@ -1,3 +1,11 @@ +awstats (7.8-3+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * CVE-2025-63261: Fix a command injection vulnerability caused by using + Perl's 2-argument open() function. (Closes: #1131878) + + -- Sylvain Beucler <[email protected]> Sat, 04 Apr 2026 19:47:59 +0200 + awstats (7.8-3+deb12u1) bookworm; urgency=medium * Non-maintainer upload. diff -Nru awstats-7.8/debian/patches/CVE-2025-63261.patch awstats-7.8/debian/patches/CVE-2025-63261.patch --- awstats-7.8/debian/patches/CVE-2025-63261.patch 1970-01-01 01:00:00.000000000 +0100 +++ awstats-7.8/debian/patches/CVE-2025-63261.patch 2026-04-04 11:25:04.000000000 +0200 @@ -0,0 +1,21 @@ +From: Chris Lamb <[email protected]> +Date: Wed, 25 Mar 2026 11:43:54 -0700 +Subject: CVE-2025-63261: Fix a command injection vulnerability caused by using Perl's 2-argument open() function. + +--- + wwwroot/cgi-bin/awstats.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: awstats-7.8/wwwroot/cgi-bin/awstats.pl +=================================================================== +--- awstats-7.8.orig/wwwroot/cgi-bin/awstats.pl ++++ awstats-7.8/wwwroot/cgi-bin/awstats.pl +@@ -7572,7 +7572,7 @@ sub Read_DNS_Cache { + LoadCache_hashfiles( $filetoload, $hashtoload ); + } + if ( !scalar keys %$hashtoload ) { +- open( DNSFILE, "$filetoload" ) ++ open( DNSFILE, "<", $filetoload ) + or error("Couldn't open DNS Cache file \"$filetoload\": $!"); + + #binmode DNSFILE; # If we set binmode here, it seems that the load is broken on ActiveState 5.8 diff -Nru awstats-7.8/debian/patches/series awstats-7.8/debian/patches/series --- awstats-7.8/debian/patches/series 2023-07-08 02:47:02.000000000 +0200 +++ awstats-7.8/debian/patches/series 2026-04-04 11:24:43.000000000 +0200 @@ -12,3 +12,4 @@ 2009_googlesearch.patch 0013-Only-look-for-configuration-in-dedicated-awstats-dir.patch fix-cross-site-scripting.patch +CVE-2025-63261.patch
