r67369 - in /branches/squeeze/libcgi-pm-perl/debian: changelog patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch patches/series

gregoa at users.alioth.debian.org gregoa at users.alioth.debian.org
Thu Jan 13 21:35:17 UTC 2011 

Author: gregoa
Date: Thu Jan 13 21:34:45 2011
New Revision: 67369

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=67369
Log:
[SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
patch (closes: #606370).

Added:
    branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
Modified:
    branches/squeeze/libcgi-pm-perl/debian/changelog
    branches/squeeze/libcgi-pm-perl/debian/patches/series

Modified: branches/squeeze/libcgi-pm-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-pm-perl/debian/changelog?rev=67369&op=diff
==============================================================================
--- branches/squeeze/libcgi-pm-perl/debian/changelog (original)
+++ branches/squeeze/libcgi-pm-perl/debian/changelog Thu Jan 13 21:34:45 2011
@@ -1,3 +1,11 @@
+libcgi-pm-perl (3.49-1squeeze1) UNRELEASED; urgency=high
+
+  * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
+    CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
+    patch (closes: #606370).
+
+ -- gregor herrmann <gregoa at debian.org>  Thu, 13 Jan 2011 22:25:30 +0100
+
 libcgi-pm-perl (3.49-1) unstable; urgency=low
 
   [ Jonathan Yu ]

Added: branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch?rev=67369&op=file
==============================================================================
--- branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch (added)
+++ branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch Thu Jan 13 21:34:45 2011
@@ -1,0 +1,123 @@
+Description: backport fixes for CVE-2010-2761, CVE-2010-4410, CVE-2010-4411 from 3.50 and 3.51
+Bug-Debian: http://bugs.debian.org/606370
+Author: Niko Tyni <ntyni at debian.org>
+Reviewed-by: gregor herrmann <gregoa at debian.org>
+Last-Update: 2011-01-13
+
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1457,7 +1457,14 @@
+ sub multipart_init {
+     my($self, at p) = self_or_default(@_);
+     my($boundary, at other) = rearrange_header([BOUNDARY], at p);
+-    $boundary = $boundary || '------- =_aaaaaaaaaa0';
++    if (!$boundary) {
++        $boundary = '------- =_';
++        my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
++        for (1..17) {
++            $boundary .= $chrs[rand(scalar @chrs)];
++        }
++    }
++
+     $self->{'separator'} = "$CRLF--$boundary$CRLF";
+     $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
+     $type = SERVER_PUSH($boundary);
+@@ -1545,12 +1552,19 @@
+     # CR escaping for values, per RFC 822
+     for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
+         if (defined $header) {
+-            $header =~ s/
+-                (?<=\n)    # For any character proceeded by a newline
+-                (?=\S)     # ... that is not whitespace
+-            / /xg;         # ... inject a leading space in the new line
+-        }
+-    }
++            # From RFC 822:
++            # Unfolding  is  accomplished  by regarding   CRLF   immediately
++            # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
++            $header =~ s/$CRLF(\s)/$1/g;
++
++            # All other uses of newlines are invalid input.
++            if ($header =~ m/$CRLF|\015|\012/) {
++                # shorten very long values in the diagnostic
++                $header = substr($header,0,72).'...' if (length $header > 72);
++                die "Invalid header value contains a newline not followed by whitespace: $header";
++            }
++        }
++   }
+ 
+     $nph     ||= $NPH;
+ 
+--- /dev/null
++++ b/t/headers.t
+@@ -0,0 +1,47 @@
++
++# Test that header generation is spec compliant.
++# References:
++#   http://www.w3.org/Protocols/rfc2616/rfc2616.html
++#   http://www.w3.org/Protocols/rfc822/3_Lexical.html
++
++use strict;
++use warnings;
++
++use Test::More 'no_plan';
++
++use CGI;
++
++my $cgi = CGI->new;
++
++like $cgi->header( -type => "text/html" ),
++    qr#Type: text/html#, 'known header, basic case: type => "text/html"';
++
++eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'invalid header blows up');
++
++like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
++    qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
++
++eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
++
++eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) };
++like($@,qr/contains a newline/, 'unknown header with leading newlines blows up');
++
++eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up');
++
++eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up');
++
++eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") };
++like($@,qr/contains a newline/,'redirect with leading newlines blows up');
++
++{
++    my $cgi = CGI->new('t=bogus%0A%0A<html>');
++    my $out;
++    eval { $out = $cgi->redirect( $cgi->param('t') ) };
++    like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
++}
++
++
+--- /dev/null
++++ b/t/multipart_init.t
+@@ -0,0 +1,20 @@
++use Test::More 'no_plan';
++
++use CGI;
++
++my $q = CGI->new;
++
++my $sv = $q->multipart_init;
++like( $sv, qr|Content-Type: multipart/x-mixed-replace;boundary="------- =|, 'multipart_init(), basic');
++
++like( $sv, qr/$CGI::CRLF$/, 'multipart_init(), ends in CRLF' );
++
++$sv = $q->multipart_init( 'this_is_the_boundary' );
++like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init("simple_boundary")' );
++$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );
++like($sv,
++     qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')");
++
++$sv = $q->multipart_init;
++my $sv2 = $q->multipart_init;
++isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results");

Modified: branches/squeeze/libcgi-pm-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-pm-perl/debian/patches/series?rev=67369&op=diff
==============================================================================
--- branches/squeeze/libcgi-pm-perl/debian/patches/series (original)
+++ branches/squeeze/libcgi-pm-perl/debian/patches/series Thu Jan 13 21:34:45 2011
@@ -1,2 +1,3 @@
 man-cgi-fast.patch
 fix-pod-spelling.patch
+CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch

More information about the Pkg-perl-cvs-commits mailing list