r74336 - in /branches/squeeze/libmojolicious-perl/debian: changelog patches/fix-CVE-2010-4803.patch patches/series
carnil at users.alioth.debian.org
carnil at users.alioth.debian.org
Fri May 13 18:02:00 UTC 2011
Author: carnil
Date: Fri May 13 18:01:17 2011
New Revision: 74336
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=74336
Log:
[SECURITY] Add fix-CVE-2010-4803.patch. Fix not properly implemented
HMAC-MD5 checksums. Fixes CVE-2010-4803.
Added:
branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch
Modified:
branches/squeeze/libmojolicious-perl/debian/changelog
branches/squeeze/libmojolicious-perl/debian/patches/series
Modified: branches/squeeze/libmojolicious-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/changelog?rev=74336&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/changelog (original)
+++ branches/squeeze/libmojolicious-perl/debian/changelog Fri May 13 18:01:17 2011
@@ -1,9 +1,11 @@
-libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=low
+libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=high
* [SECURITY] Fix XSS vulnerability in link_to helper. Fixes
CVE-2011-1841 (Closes: #626135).
+ * [SECURITY] Add fix-CVE-2010-4803.patch. Fix not properly implemented
+ HMAC-MD5 checksums. Fixes CVE-2010-4803.
- -- Salvatore Bonaccorso <carnil at debian.org> Mon, 09 May 2011 08:13:31 +0200
+ -- Salvatore Bonaccorso <carnil at debian.org> Fri, 13 May 2011 19:50:52 +0200
libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high
Added: branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch?rev=74336&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch Fri May 13 18:01:17 2011
@@ -1,0 +1,306 @@
+Description: Fix not properly implemented HMAC-MD5 checksums. CVE-2010-4803.
+Origin: https://admin.fedoraproject.org/updates/perl-Mojolicious-0.999925-4.fc13
+Bug-Debian: http://bugs.debian.org/622952
+Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=701713
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2011-05-13
+
+--- a/lib/Mojo/ByteStream.pm
++++ b/lib/Mojo/ByteStream.pm
+@@ -24,6 +24,9 @@
+ use constant PUNYCODE_INITIAL_BIAS => 72;
+ use constant PUNYCODE_INITIAL_N => 128;
+
++# Core module since Perl 5.9.3
++use constant SHA1 => eval 'use Digest::SHA (); 1';
++
+ __PACKAGE__->attr(raw_size => 0);
+
+ # Punycode delimiter
+@@ -467,21 +470,9 @@
+ return $line;
+ }
+
+-sub hmac_md5_sum {
+- my ($self, $secret) = @_;
++sub hmac_md5_sum { shift->_hmac(\&_md5, @_) }
+
+- #Secret
+- $secret ||= 'Very unsecure!';
+- $secret = _md5_sum($secret) if length $secret > 64;
+-
+- # HMAC
+- my $ipad = $secret ^ (chr(0x36) x 64);
+- my $opad = $secret ^ (chr(0x5c) x 64);
+- $self->{bytestream} =
+- _md5_sum($opad . _md5_sum($ipad . $self->{bytestream}));
+-
+- return $self;
+-}
++sub hmac_sha1_sum { shift->_hmac(\&_sha1, @_) }
+
+ sub html_escape {
+ my $self = shift;
+@@ -521,7 +512,7 @@
+ sub md5_bytes {
+ my $self = shift;
+ utf8::encode $self->{bytestream} if utf8::is_utf8 $self->{bytestream};
+- $self->{bytestream} = Digest::MD5::md5($self->{bytestream});
++ $self->{bytestream} = _md5($self->{bytestream});
+ return $self;
+ }
+
+@@ -716,6 +707,24 @@
+ return substr $self->{bytestream}, 0, $length, $chunk;
+ }
+
++sub sha1_bytes {
++ my $self = shift;
++ utf8::encode $self->{bytestream} if utf8::is_utf8 $self->{bytestream};
++ $self->{bytestream} = _sha1($self->{bytestream});
++ return $self;
++}
++
++sub sha1_sum {
++ my $self = shift;
++ die <<'EOF' unless SHA1;
++Module "Digest::SHA" not present in this version of Perl.
++Please install it manually or upgrade Perl to at least version 5.10.
++EOF
++ utf8::encode $self->{bytestream} if utf8::is_utf8 $self->{bytestream};
++ $self->{bytestream} = Digest::SHA::sha1_hex($self->{bytestream});
++ return $self;
++}
++
+ sub size { length shift->{bytestream} }
+
+ sub to_string { shift->{bytestream} }
+@@ -800,8 +809,24 @@
+ / ($delta + PUNYCODE_SKEW));
+ }
+
+-# Helper for hmac_md5_sum
+-sub _md5_sum { Mojo::ByteStream->new(shift)->md5_sum->to_string }
++sub _hmac {
++ my ($self, $cb, $secret) = @_;
++
++ #Secret
++ $secret ||= 'Very unsecure!';
++ $secret = $cb->($secret) if length $secret > 64;
++
++ # HMAC
++ my $ipad = $secret ^ (chr(0x36) x 64);
++ my $opad = $secret ^ (chr(0x5c) x 64);
++ $self->{bytestream} = unpack 'H*',
++ $cb->($opad . $cb->($ipad . $self->{bytestream}));
++
++ return $self;
++}
++
++# Helper for md5_bytes
++sub _md5 { Digest::MD5::md5(shift) }
+
+ # Helper for url_sanitize
+ sub _sanitize {
+@@ -813,6 +838,15 @@
+ return '%' . uc $hex;
+ }
+
++# Helper for sha1_bytes
++sub _sha1 {
++ die <<'EOF' unless SHA1;
++Module "Digest::SHA" not present in this version of Perl.
++Please install it manually or upgrade Perl to at least version 5.10.
++EOF
++ Digest::SHA::sha1(shift);
++}
++
+ # Helper for html_unescape
+ sub _unescape {
+ my ($num, $entitie, $hex) = @_;
+@@ -850,6 +884,7 @@
+ $stream->encode('UTF-8');
+ $stream->decode('UTF-8');
+ $stream->hmac_md5_sum('secret');
++ $stream->hmac_sha1_sum('secret');
+ $stream->html_escape;
+ $stream->html_unescape;
+ $stream->md5_bytes;
+@@ -857,6 +892,8 @@
+ $stream->qp_encode;
+ $stream->qp_decode;
+ $stream->quote;
++ $stream->sha1_bytes;
++ $stream->sha1_sum;
+ $stream->unquote;
+ $stream->url_escape;
+ $stream->url_sanitize;
+@@ -994,6 +1031,13 @@
+
+ Turn bytestream into HMAC-MD5 checksum of old content.
+
++=head2 C<hmac_sha1_sum>
++
++ $stream = $stream->hmac_sha1_sum($secret);
++
++Turn bytestream into HMAC-SHA1 checksum of old content.
++Note that Perl 5.10 or L<Digest::SHA> are required for C<SHA1> support.
++
+ =head2 C<html_escape>
+
+ $stream = $stream->html_escape;
+@@ -1010,7 +1054,7 @@
+
+ $stream = $stream->md5_bytes;
+
+-Turn bytestream into 16 byte MD5 checksum of old content.
++Turn bytestream into binary MD5 checksum of old content.
+
+ =head2 C<md5_sum>
+
+@@ -1055,6 +1099,20 @@
+
+ Remove a specific number of bytes from bytestream.
+
++=head2 C<sha1_bytes>
++
++ $stream = $stream->sha1_bytes;
++
++Turn bytestream into binary SHA1 checksum of old content.
++Note that Perl 5.10 or L<Digest::SHA> are required for C<SHA1> support.
++
++=head2 C<sha1_sum>
++
++ $stream = $stream->sha1_sum;
++
++Turn bytestream into SHA1 checksum of old content.
++Note that Perl 5.10 or L<Digest::SHA> are required for C<SHA1> support.
++
+ =head2 C<size>
+
+ my $size = $stream->size;
+--- a/t/mojo/bytestream.t
++++ b/t/mojo/bytestream.t
+@@ -10,7 +10,7 @@
+ # Homer, we're going to ask you a few simple yes or no questions.
+ # Do you understand?
+ # Yes. *lie dectector blows up*
+-use Test::More tests => 59;
++use Test::More tests => 72;
+
+ use_ok('Mojo::ByteStream', 'b');
+
+@@ -130,7 +130,7 @@
+ $stream = b('foo bar baz');
+ is( unpack('H*', $stream->md5_bytes),
+ "ab07acbb1e496801937adfa772424bf7",
+- 'right 16 byte md5 checksum'
++ 'right binary md5 checksum'
+ );
+
+ # md5_sum
+@@ -138,6 +138,20 @@
+ is($stream->md5_sum, 'ab07acbb1e496801937adfa772424bf7',
+ 'right md5 checksum');
+
++# sha1_bytes
++$stream = b('foo bar baz');
++is( unpack('H*', $stream->sha1_bytes),
++ "c7567e8b39e2428e38bf9c9226ac68de4c67dc39",
++ 'right binary sha1 checksum'
++);
++
++# sha1_sum
++$stream = b('foo bar baz');
++is( $stream->sha1_sum,
++ 'c7567e8b39e2428e38bf9c9226ac68de4c67dc39',
++ 'right sha1 checksum'
++);
++
+ # length
+ $stream = b('foo bar baz');
+ is($stream->size, 11, 'size is 11');
+@@ -147,20 +161,74 @@
+ is($stream->size, 1, 'size is 1');
+ is($stream->to_string, '0', 'right buffer content');
+
+-# hmac_md5_sum
+-is( b('some secret message')->hmac_md5_sum('secret'),
+- '5a7dcc4c407032ad10758abdda017f7b',
++# hmac_md5_sum (RFC2202)
++is( b("Hi There")->hmac_md5_sum(chr(0x0b) x 16),
++ '9294727a3638bb1c13f48ef8158bfc9d',
++ 'right hmac md5 checksum'
++);
++is( b("what do ya want for nothing?")->hmac_md5_sum("Jefe"),
++ '750c783e6ab0b503eaa86e310a5db738',
++ 'right hmac md5 checksum'
++);
++is( b(chr(0xdd) x 50)->hmac_md5_sum(chr(0xaa) x 16),
++ '56be34521d144c88dbb8c733f0e8b3f6',
++ 'right hmac md5 checksum'
++);
++is( b(chr(0xcd) x 50)->hmac_md5_sum(
++ pack 'H*' => '0102030405060708090a0b0c0d0e0f10111213141516171819'
++ ),
++ '697eaf0aca3a3aea3a75164746ffaa79',
++ 'right hmac md5 checksum'
++);
++is( b("Test With Truncation")->hmac_md5_sum(chr(0x0c) x 16),
++ '56461ef2342edc00f9bab995690efd4c',
+ 'right hmac md5 checksum'
+ );
+-is( b('some other message')->hmac_md5_sum('secret'),
+- '9ab78f427440259a33abb088d4400526',
++is( b("Test Using Larger Than Block-Size Key - Hash Key First")
++ ->hmac_md5_sum(chr(0xaa) x 80),
++ '6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd',
+ 'right hmac md5 checksum'
+ );
+-is( b('some secret message')->hmac_md5_sum('secret'),
+- '5a7dcc4c407032ad10758abdda017f7b',
++is( b( "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"
++ )->hmac_md5_sum(chr(0xaa) x 80),
++ '6f630fad67cda0ee1fb1f562db3aa53e',
+ 'right hmac md5 checksum'
+ );
+
++# hmac_sha1_sum (RFC2202)
++is( b("Hi There")->hmac_sha1_sum(chr(0x0b) x 20),
++ 'b617318655057264e28bc0b6fb378c8ef146be00',
++ 'right hmac sha1 checksum'
++);
++is( b("what do ya want for nothing?")->hmac_sha1_sum("Jefe"),
++ 'effcdf6ae5eb2fa2d27416d5f184df9c259a7c79',
++ 'right hmac sha1 checksum'
++);
++is( b(chr(0xdd) x 50)->hmac_sha1_sum(chr(0xaa) x 20),
++ '125d7342b9ac11cd91a39af48aa17b4f63f175d3',
++ 'right hmac sha1 checksum'
++);
++is( b(chr(0xcd) x 50)->hmac_sha1_sum(
++ pack 'H*' => '0102030405060708090a0b0c0d0e0f10111213141516171819'
++ ),
++ '4c9007f4026250c6bc8414f9bf50c86c2d7235da',
++ 'right hmac sha1 checksum'
++);
++is( b("Test With Truncation")->hmac_sha1_sum(chr(0x0c) x 20),
++ '4c1a03424b55e07fe7f27be1d58bb9324a9a5a04',
++ 'right hmac sha1 checksum'
++);
++is( b("Test Using Larger Than Block-Size Key - Hash Key First")
++ ->hmac_sha1_sum(chr(0xaa) x 80),
++ 'aa4ae5e15272d00e95705637ce8a3b55ed402112',
++ 'right hmac sha1 checksum'
++);
++is( b( "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"
++ )->hmac_sha1_sum(chr(0xaa) x 80),
++ 'e8e99d0f45237d786d6bbaa7965c7808bbff1a91',
++ 'right hmac sha1 checksum'
++);
++
+ # html_escape
+ $stream = b('foobar<baz>');
+ is($stream->html_escape, 'foobar<baz>', 'right html escaped result');
Modified: branches/squeeze/libmojolicious-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/series?rev=74336&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/series (original)
+++ branches/squeeze/libmojolicious-perl/debian/patches/series Fri May 13 18:01:17 2011
@@ -1,3 +1,4 @@
622952-path-traversal-vulnerability.patch
improve-RFC3986-compliance-of-Mojo-Path.patch
626135-fix-xss-issue-in-link_to-helper.patch
+fix-CVE-2010-4803.patch
More information about the Pkg-perl-cvs-commits
mailing list