r67369 - in /branches/squeeze/libcgi-pm-perl/debian: changelog patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch patches/series
gregoa at users.alioth.debian.org
gregoa at users.alioth.debian.org
Thu Jan 13 21:35:17 UTC 2011
Author: gregoa
Date: Thu Jan 13 21:34:45 2011
New Revision: 67369
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=67369
Log:
[SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
patch (closes: #606370).
Added:
branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
Modified:
branches/squeeze/libcgi-pm-perl/debian/changelog
branches/squeeze/libcgi-pm-perl/debian/patches/series
Modified: branches/squeeze/libcgi-pm-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-pm-perl/debian/changelog?rev=67369&op=diff
==============================================================================
--- branches/squeeze/libcgi-pm-perl/debian/changelog (original)
+++ branches/squeeze/libcgi-pm-perl/debian/changelog Thu Jan 13 21:34:45 2011
@@ -1,3 +1,11 @@
+libcgi-pm-perl (3.49-1squeeze1) UNRELEASED; urgency=high
+
+ * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
+ CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
+ patch (closes: #606370).
+
+ -- gregor herrmann <gregoa at debian.org> Thu, 13 Jan 2011 22:25:30 +0100
+
libcgi-pm-perl (3.49-1) unstable; urgency=low
[ Jonathan Yu ]
Added: branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch?rev=67369&op=file
==============================================================================
--- branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch (added)
+++ branches/squeeze/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch Thu Jan 13 21:34:45 2011
@@ -1,0 +1,123 @@
+Description: backport fixes for CVE-2010-2761, CVE-2010-4410, CVE-2010-4411 from 3.50 and 3.51
+Bug-Debian: http://bugs.debian.org/606370
+Author: Niko Tyni <ntyni at debian.org>
+Reviewed-by: gregor herrmann <gregoa at debian.org>
+Last-Update: 2011-01-13
+
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1457,7 +1457,14 @@
+ sub multipart_init {
+ my($self, at p) = self_or_default(@_);
+ my($boundary, at other) = rearrange_header([BOUNDARY], at p);
+- $boundary = $boundary || '------- =_aaaaaaaaaa0';
++ if (!$boundary) {
++ $boundary = '------- =_';
++ my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
++ for (1..17) {
++ $boundary .= $chrs[rand(scalar @chrs)];
++ }
++ }
++
+ $self->{'separator'} = "$CRLF--$boundary$CRLF";
+ $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
+ $type = SERVER_PUSH($boundary);
+@@ -1545,12 +1552,19 @@
+ # CR escaping for values, per RFC 822
+ for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
+ if (defined $header) {
+- $header =~ s/
+- (?<=\n) # For any character proceeded by a newline
+- (?=\S) # ... that is not whitespace
+- / /xg; # ... inject a leading space in the new line
+- }
+- }
++ # From RFC 822:
++ # Unfolding is accomplished by regarding CRLF immediately
++ # followed by a LWSP-char as equivalent to the LWSP-char.
++ $header =~ s/$CRLF(\s)/$1/g;
++
++ # All other uses of newlines are invalid input.
++ if ($header =~ m/$CRLF|\015|\012/) {
++ # shorten very long values in the diagnostic
++ $header = substr($header,0,72).'...' if (length $header > 72);
++ die "Invalid header value contains a newline not followed by whitespace: $header";
++ }
++ }
++ }
+
+ $nph ||= $NPH;
+
+--- /dev/null
++++ b/t/headers.t
+@@ -0,0 +1,47 @@
++
++# Test that header generation is spec compliant.
++# References:
++# http://www.w3.org/Protocols/rfc2616/rfc2616.html
++# http://www.w3.org/Protocols/rfc822/3_Lexical.html
++
++use strict;
++use warnings;
++
++use Test::More 'no_plan';
++
++use CGI;
++
++my $cgi = CGI->new;
++
++like $cgi->header( -type => "text/html" ),
++ qr#Type: text/html#, 'known header, basic case: type => "text/html"';
++
++eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'invalid header blows up');
++
++like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
++ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
++
++eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
++
++eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) };
++like($@,qr/contains a newline/, 'unknown header with leading newlines blows up');
++
++eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up');
++
++eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up');
++
++eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") };
++like($@,qr/contains a newline/,'redirect with leading newlines blows up');
++
++{
++ my $cgi = CGI->new('t=bogus%0A%0A<html>');
++ my $out;
++ eval { $out = $cgi->redirect( $cgi->param('t') ) };
++ like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
++}
++
++
+--- /dev/null
++++ b/t/multipart_init.t
+@@ -0,0 +1,20 @@
++use Test::More 'no_plan';
++
++use CGI;
++
++my $q = CGI->new;
++
++my $sv = $q->multipart_init;
++like( $sv, qr|Content-Type: multipart/x-mixed-replace;boundary="------- =|, 'multipart_init(), basic');
++
++like( $sv, qr/$CGI::CRLF$/, 'multipart_init(), ends in CRLF' );
++
++$sv = $q->multipart_init( 'this_is_the_boundary' );
++like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init("simple_boundary")' );
++$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );
++like($sv,
++ qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')");
++
++$sv = $q->multipart_init;
++my $sv2 = $q->multipart_init;
++isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results");
Modified: branches/squeeze/libcgi-pm-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-pm-perl/debian/patches/series?rev=67369&op=diff
==============================================================================
--- branches/squeeze/libcgi-pm-perl/debian/patches/series (original)
+++ branches/squeeze/libcgi-pm-perl/debian/patches/series Thu Jan 13 21:34:45 2011
@@ -1,2 +1,3 @@
man-cgi-fast.patch
fix-pod-spelling.patch
+CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
More information about the Pkg-perl-cvs-commits
mailing list