Bug#1014808: libhttp-daemon-perl: CVE-2022-31081

[Moritz Mühlenhoff]

Source: libhttp-daemon-perl
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for libhttp-daemon-perl.

CVE-2022-31081[0]:
| HTTP::Daemon is a simple http server class written in perl. Versions
| prior to 6.15 are subject to a vulnerability which could potentially
| be exploited to gain privileged access to APIs or poison intermediate
| caches. It is uncertain how large the risks are, most Perl based
| applications are served on top of Nginx or Apache, not on the
| `HTTP::Daemon`. This library is commonly used for local development
| and tests. Users are advised to update to resolve this issue. Users
| unable to upgrade may add additional request handling logic as a
| mitigation. After calling `my $rqst = $conn->get_request()` one
| could inspect the returned `HTTP::Request` object. Querying the
| 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will
| show any abnormalities that should be dealt with by a `400` response.
| Expected strings of 'Content-Length' SHOULD consist of either a single
| non-negative integer, or, a comma separated repetition of that number.
| (that is `42` or `42, 42, 42`). Anything else MUST be rejected.

https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf
Refactoring/renaming prerequisite: 
https://github.com/libwww-perl/HTTP-Daemon/commit/331d5c1d1f0e48e6b57ef738c2a8509b1eb53376
Fixed by: 
https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2
Fixed by: 
https://github.com/libwww-perl/HTTP-Daemon/commit/8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0
Testcase: 
https://github.com/libwww-perl/HTTP-Daemon/commit/faebad54455c2c2919e234202362570925fb99d1

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-31081
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31081

Please adjust the affected versions in the BTS as needed.