r67372 - in /branches/lenny/libcgi-pm-perl/debian: changelog patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch patches/series
gregoa at users.alioth.debian.org
gregoa at users.alioth.debian.org
Thu Jan 13 21:49:21 UTC 2011
Author: gregoa
Date: Thu Jan 13 21:49:14 2011
New Revision: 67372
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=67372
Log:
[SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
patch (closes: #606370).
Added:
branches/lenny/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
Modified:
branches/lenny/libcgi-pm-perl/debian/changelog
branches/lenny/libcgi-pm-perl/debian/patches/series
Modified: branches/lenny/libcgi-pm-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-pm-perl/debian/changelog?rev=67372&op=diff
==============================================================================
--- branches/lenny/libcgi-pm-perl/debian/changelog (original)
+++ branches/lenny/libcgi-pm-perl/debian/changelog Thu Jan 13 21:49:14 2011
@@ -1,3 +1,11 @@
+libcgi-pm-perl (3.38-2lenny2) UNRELEASED; urgency=low
+
+ * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
+ CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
+ patch (closes: #606370).
+
+ -- gregor herrmann <gregoa at debian.org> Thu, 13 Jan 2011 22:47:47 +0100
+
libcgi-pm-perl (3.38-2lenny1) stable; urgency=low
* Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape().
Added: branches/lenny/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch?rev=67372&op=file
==============================================================================
--- branches/lenny/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch (added)
+++ branches/lenny/libcgi-pm-perl/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch Thu Jan 13 21:49:14 2011
@@ -1,0 +1,149 @@
+Description: backport fixes for CVE-2010-2761, CVE-2010-4410, CVE-2010-4411 from 3.50 and 3.51
+Bug: http://bugs.debian.org/606370
+Author: Niko Tyni <ntyni at debian.org>
+Reviewed-by: gregor herrmann <gregoa at debian.org>
+Last-Update: 2011-01-13
+
+--- a/CGI.pm
++++ b/CGI.pm
+@@ -1382,7 +1382,14 @@
+ sub multipart_init {
+ my($self, at p) = self_or_default(@_);
+ my($boundary, at other) = rearrange([BOUNDARY], at p);
+- $boundary = $boundary || '------- =_aaaaaaaaaa0';
++ if (!$boundary) {
++ $boundary = '------- =_';
++ my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
++ for (1..17) {
++ $boundary .= $chrs[rand(scalar @chrs)];
++ }
++ }
++
+ $self->{'separator'} = "$CRLF--$boundary$CRLF";
+ $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
+ $type = SERVER_PUSH($boundary);
+@@ -1467,6 +1474,23 @@
+ 'EXPIRES','NPH','CHARSET',
+ 'ATTACHMENT','P3P'], at p);
+
++ # CR escaping for values, per RFC 822
++ for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
++ if (defined $header) {
++ # From RFC 822:
++ # Unfolding is accomplished by regarding CRLF immediately
++ # followed by a LWSP-char as equivalent to the LWSP-char.
++ $header =~ s/$CRLF(\s)/$1/g;
++
++ # All other uses of newlines are invalid input.
++ if ($header =~ m/$CRLF|\015|\012/) {
++ # shorten very long values in the diagnostic
++ $header = substr($header,0,72).'...' if (length $header > 72);
++ die "Invalid header value contains a newline not followed by whitespace: $header";
++ }
++ }
++ }
++
+ $nph ||= $NPH;
+
+ $type ||= 'text/html' unless defined($type);
+@@ -1482,7 +1506,7 @@
+ # need to fix it up a little.
+ foreach (@other) {
+ # Don't use \s because of perl bug 21951
+- next unless my($header,$value) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/;
++ next unless my($header,$value) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s;
+ ($_ = $header) =~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e;
+ }
+
+@@ -5101,6 +5125,18 @@
+
+ P3P: policyref="/w3c/p3p.xml" cp="CAO DSP LAW CURa"
+
++Note that if a header value contains a carriage return, a leading space will be
++added to each new line that doesn't already have one as specified by RFC2616
++section 4.2. For example:
++
++ print header( -ingredients => "ham\neggs\nbacon" );
++
++will generate
++
++ Ingredients: ham
++ eggs
++ bacon
++
+ =head2 GENERATING A REDIRECTION HEADER
+
+ print redirect('http://somewhere.else/in/movie/land');
+--- /dev/null
++++ b/t/headers.t
+@@ -0,0 +1,47 @@
++
++# Test that header generation is spec compliant.
++# References:
++# http://www.w3.org/Protocols/rfc2616/rfc2616.html
++# http://www.w3.org/Protocols/rfc822/3_Lexical.html
++
++use strict;
++use warnings;
++
++use Test::More 'no_plan';
++
++use CGI;
++
++my $cgi = CGI->new;
++
++like $cgi->header( -type => "text/html" ),
++ qr#Type: text/html#, 'known header, basic case: type => "text/html"';
++
++eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'invalid header blows up');
++
++like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
++ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
++
++eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
++
++eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) };
++like($@,qr/contains a newline/, 'unknown header with leading newlines blows up');
++
++eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up');
++
++eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up');
++
++eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") };
++like($@,qr/contains a newline/,'redirect with leading newlines blows up');
++
++{
++ my $cgi = CGI->new('t=bogus%0A%0A<html>');
++ my $out;
++ eval { $out = $cgi->redirect( $cgi->param('t') ) };
++ like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
++}
++
++
+--- /dev/null
++++ b/t/multipart_init.t
+@@ -0,0 +1,20 @@
++use Test::More 'no_plan';
++
++use CGI;
++
++my $q = CGI->new;
++
++my $sv = $q->multipart_init;
++like( $sv, qr|Content-Type: multipart/x-mixed-replace;boundary="------- =|, 'multipart_init(), basic');
++
++like( $sv, qr/$CGI::CRLF$/, 'multipart_init(), ends in CRLF' );
++
++$sv = $q->multipart_init( 'this_is_the_boundary' );
++like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init("simple_boundary")' );
++$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );
++like($sv,
++ qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')");
++
++$sv = $q->multipart_init;
++my $sv2 = $q->multipart_init;
++isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results");
Modified: branches/lenny/libcgi-pm-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-pm-perl/debian/patches/series?rev=67372&op=diff
==============================================================================
--- branches/lenny/libcgi-pm-perl/debian/patches/series (original)
+++ branches/lenny/libcgi-pm-perl/debian/patches/series Thu Jan 13 21:49:14 2011
@@ -1,2 +1,3 @@
man-cgi-fast.patch
cgi-util-escape.patch
+CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
More information about the Pkg-perl-cvs-commits
mailing list