Package: release.debian.org
Control: affects -1 + src:awstats
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Severity: normal
[ Reason ]
This fixes CVE-2025-63261: AWStats 8.0 is vulnerable to Command
Injection via the open function.
[ Impact ]
In some situations, mostly concerning web hosting panels, a malicious
user with write privileges to the local filesystem may run arbitrary
commands, possibly as a different awstats system user.
[ Tests ]
I reproduced the issue and ensured it didn't happen with the fix.
I deployed the (very small) fix on 3 web servers that I administrate,
and that run awstats hourly, to ensure no regression occurred.
The same fix was published to bullseye-lts and buster-elts last month,
no issues reported.
I ran common Debian tests through debusine:
https://debusine.debian.net/debian/developers/work-request/555861/
[ Risks ]
The fix is trivial and is a textbook example of insecure old-style Perl
open, causing confusion between a filename with a trailing '|' and a
request to pipe input from arbitrary commands:
https://perldoc.perl.org/functions/open#Specifying-mode-and-filename-as-a-single-argument
https://perldoc.perl.org/functions/open#Whitespace-and-special-characters-in-the-filename-argument
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add CVE-2025-63261.patch with a one-liner fix.
[ Other info ]
Binary debdiff show that NEWS.Debian.gz is dropped, due to NEWS pruning
in slightly newer debhelper (#1021607 - last entry was from 2006).diff -Nru awstats-7.9/debian/changelog awstats-7.9/debian/changelog
--- awstats-7.9/debian/changelog 2023-08-28 09:03:39.000000000 +0200
+++ awstats-7.9/debian/changelog 2026-04-04 16:48:04.000000000 +0200
@@ -1,3 +1,11 @@
+awstats (7.9-1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2025-63261: Fix a command injection vulnerability caused by using
+ Perl's 2-argument open() function. (Closes: #1131878)
+
+ -- Sylvain Beucler <[email protected]> Sat, 04 Apr 2026 16:48:04 +0200
+
awstats (7.9-1) unstable; urgency=medium
* New maintainer (Closes: #755797)
diff -Nru awstats-7.9/debian/patches/CVE-2025-63261.patch awstats-7.9/debian/patches/CVE-2025-63261.patch
--- awstats-7.9/debian/patches/CVE-2025-63261.patch 1970-01-01 01:00:00.000000000 +0100
+++ awstats-7.9/debian/patches/CVE-2025-63261.patch 2026-04-04 11:06:15.000000000 +0200
@@ -0,0 +1,21 @@
+From: Chris Lamb <[email protected]>
+Date: Wed, 25 Mar 2026 11:43:54 -0700
+Subject: CVE-2025-63261: Fix a command injection vulnerability caused by using Perl's 2-argument open() function.
+
+---
+ wwwroot/cgi-bin/awstats.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: awstats-7.9/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-7.9.orig/wwwroot/cgi-bin/awstats.pl
++++ awstats-7.9/wwwroot/cgi-bin/awstats.pl
+@@ -7683,7 +7683,7 @@ sub Read_DNS_Cache {
+ LoadCache_hashfiles( $filetoload, $hashtoload );
+ }
+ if ( !scalar keys %$hashtoload ) {
+- open( DNSFILE, "$filetoload" )
++ open( DNSFILE, "<", $filetoload )
+ or error("Couldn't open DNS Cache file \"$filetoload\": $!");
+
+ #binmode DNSFILE; # If we set binmode here, it seems that the load is broken on ActiveState 5.8
diff -Nru awstats-7.9/debian/patches/series awstats-7.9/debian/patches/series
--- awstats-7.9/debian/patches/series 2023-08-28 08:40:12.000000000 +0200
+++ awstats-7.9/debian/patches/series 2026-04-04 11:05:33.000000000 +0200
@@ -10,3 +10,4 @@
2007_googleplus.patch
2008_twitter.patch
2009_googlesearch.patch
+CVE-2025-63261.patch
