r74336 - in /branches/squeeze/libmojolicious-perl/debian: changelog patches/fix-CVE-2010-4803.patch patches/series

carnil at users.alioth.debian.org carnil at users.alioth.debian.org
Fri May 13 18:02:00 UTC 2011 

Author: carnil
Date: Fri May 13 18:01:17 2011
New Revision: 74336

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=74336
Log:
[SECURITY] Add fix-CVE-2010-4803.patch. Fix not properly implemented
HMAC-MD5 checksums. Fixes CVE-2010-4803.

Added:
    branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch
Modified:
    branches/squeeze/libmojolicious-perl/debian/changelog
    branches/squeeze/libmojolicious-perl/debian/patches/series

Modified: branches/squeeze/libmojolicious-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/changelog?rev=74336&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/changelog (original)
+++ branches/squeeze/libmojolicious-perl/debian/changelog Fri May 13 18:01:17 2011
@@ -1,9 +1,11 @@
-libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=low
+libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=high
 
   * [SECURITY] Fix XSS vulnerability in link_to helper. Fixes
     CVE-2011-1841 (Closes: #626135).
+  * [SECURITY] Add fix-CVE-2010-4803.patch. Fix not properly implemented
+    HMAC-MD5 checksums. Fixes CVE-2010-4803.
 
- -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 09 May 2011 08:13:31 +0200
+ -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 13 May 2011 19:50:52 +0200
 
 libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high
 

Added: branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch?rev=74336&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/fix-CVE-2010-4803.patch Fri May 13 18:01:17 2011
@@ -1,0 +1,306 @@
+Description: Fix not properly implemented HMAC-MD5 checksums. CVE-2010-4803.
+Origin: https://admin.fedoraproject.org/updates/perl-Mojolicious-0.999925-4.fc13
+Bug-Debian: http://bugs.debian.org/622952
+Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=701713
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2011-05-13
+
+--- a/lib/Mojo/ByteStream.pm
++++ b/lib/Mojo/ByteStream.pm
+@@ -24,6 +24,9 @@
+ use constant PUNYCODE_INITIAL_BIAS => 72;
+ use constant PUNYCODE_INITIAL_N    => 128;
+ 
++# Core module since Perl 5.9.3
++use constant SHA1 => eval 'use Digest::SHA (); 1';
++
+ __PACKAGE__->attr(raw_size => 0);
+ 
+ # Punycode delimiter
+@@ -467,21 +470,9 @@
+     return $line;
+ }
+ 
+-sub hmac_md5_sum {
+-    my ($self, $secret) = @_;
++sub hmac_md5_sum { shift->_hmac(\&_md5, @_) }
+ 
+-    #Secret
+-    $secret ||= 'Very unsecure!';
+-    $secret = _md5_sum($secret) if length $secret > 64;
+-
+-    # HMAC
+-    my $ipad = $secret ^ (chr(0x36) x 64);
+-    my $opad = $secret ^ (chr(0x5c) x 64);
+-    $self->{bytestream} =
+-      _md5_sum($opad . _md5_sum($ipad . $self->{bytestream}));
+-
+-    return $self;
+-}
++sub hmac_sha1_sum { shift->_hmac(\&_sha1, @_) }
+ 
+ sub html_escape {
+     my $self = shift;
+@@ -521,7 +512,7 @@
+ sub md5_bytes {
+     my $self = shift;
+     utf8::encode $self->{bytestream} if utf8::is_utf8 $self->{bytestream};
+-    $self->{bytestream} = Digest::MD5::md5($self->{bytestream});
++    $self->{bytestream} = _md5($self->{bytestream});
+     return $self;
+ }
+ 
+@@ -716,6 +707,24 @@
+     return substr $self->{bytestream}, 0, $length, $chunk;
+ }
+ 
++sub sha1_bytes {
++    my $self = shift;
++    utf8::encode $self->{bytestream} if utf8::is_utf8 $self->{bytestream};
++    $self->{bytestream} = _sha1($self->{bytestream});
++    return $self;
++}
++
++sub sha1_sum {
++    my $self = shift;
++    die <<'EOF' unless SHA1;
++Module "Digest::SHA" not present in this version of Perl.
++Please install it manually or upgrade Perl to at least version 5.10.
++EOF
++    utf8::encode $self->{bytestream} if utf8::is_utf8 $self->{bytestream};
++    $self->{bytestream} = Digest::SHA::sha1_hex($self->{bytestream});
++    return $self;
++}
++
+ sub size { length shift->{bytestream} }
+ 
+ sub to_string { shift->{bytestream} }
+@@ -800,8 +809,24 @@
+         / ($delta + PUNYCODE_SKEW));
+ }
+ 
+-# Helper for hmac_md5_sum
+-sub _md5_sum { Mojo::ByteStream->new(shift)->md5_sum->to_string }
++sub _hmac {
++    my ($self, $cb, $secret) = @_;
++
++    #Secret
++    $secret ||= 'Very unsecure!';
++    $secret = $cb->($secret) if length $secret > 64;
++
++    # HMAC
++    my $ipad = $secret ^ (chr(0x36) x 64);
++    my $opad = $secret ^ (chr(0x5c) x 64);
++    $self->{bytestream} = unpack 'H*',
++      $cb->($opad . $cb->($ipad . $self->{bytestream}));
++
++    return $self;
++}
++
++# Helper for md5_bytes
++sub _md5 { Digest::MD5::md5(shift) }
+ 
+ # Helper for url_sanitize
+ sub _sanitize {
+@@ -813,6 +838,15 @@
+     return '%' . uc $hex;
+ }
+ 
++# Helper for sha1_bytes
++sub _sha1 {
++    die <<'EOF' unless SHA1;
++Module "Digest::SHA" not present in this version of Perl.
++Please install it manually or upgrade Perl to at least version 5.10.
++EOF
++    Digest::SHA::sha1(shift);
++}
++
+ # Helper for html_unescape
+ sub _unescape {
+     my ($num, $entitie, $hex) = @_;
+@@ -850,6 +884,7 @@
+     $stream->encode('UTF-8');
+     $stream->decode('UTF-8');
+     $stream->hmac_md5_sum('secret');
++    $stream->hmac_sha1_sum('secret');
+     $stream->html_escape;
+     $stream->html_unescape;
+     $stream->md5_bytes;
+@@ -857,6 +892,8 @@
+     $stream->qp_encode;
+     $stream->qp_decode;
+     $stream->quote;
++    $stream->sha1_bytes;
++    $stream->sha1_sum;
+     $stream->unquote;
+     $stream->url_escape;
+     $stream->url_sanitize;
+@@ -994,6 +1031,13 @@
+ 
+ Turn bytestream into HMAC-MD5 checksum of old content.
+ 
++=head2 C<hmac_sha1_sum>
++
++    $stream = $stream->hmac_sha1_sum($secret);
++
++Turn bytestream into HMAC-SHA1 checksum of old content.
++Note that Perl 5.10 or L<Digest::SHA> are required for C<SHA1> support.
++
+ =head2 C<html_escape>
+ 
+     $stream = $stream->html_escape;
+@@ -1010,7 +1054,7 @@
+ 
+     $stream = $stream->md5_bytes;
+ 
+-Turn bytestream into 16 byte MD5 checksum of old content.
++Turn bytestream into binary MD5 checksum of old content.
+ 
+ =head2 C<md5_sum>
+ 
+@@ -1055,6 +1099,20 @@
+ 
+ Remove a specific number of bytes from bytestream.
+ 
++=head2 C<sha1_bytes>
++
++    $stream = $stream->sha1_bytes;
++
++Turn bytestream into binary SHA1 checksum of old content.
++Note that Perl 5.10 or L<Digest::SHA> are required for C<SHA1> support.
++
++=head2 C<sha1_sum>
++
++    $stream = $stream->sha1_sum;
++
++Turn bytestream into SHA1 checksum of old content.
++Note that Perl 5.10 or L<Digest::SHA> are required for C<SHA1> support.
++
+ =head2 C<size>
+ 
+     my $size = $stream->size;
+--- a/t/mojo/bytestream.t
++++ b/t/mojo/bytestream.t
+@@ -10,7 +10,7 @@
+ # Homer, we're going to ask you a few simple yes or no questions.
+ # Do you understand?
+ # Yes. *lie dectector blows up*
+-use Test::More tests => 59;
++use Test::More tests => 72;
+ 
+ use_ok('Mojo::ByteStream', 'b');
+ 
+@@ -130,7 +130,7 @@
+ $stream = b('foo bar baz');
+ is( unpack('H*', $stream->md5_bytes),
+     "ab07acbb1e496801937adfa772424bf7",
+-    'right 16 byte md5 checksum'
++    'right binary md5 checksum'
+ );
+ 
+ # md5_sum
+@@ -138,6 +138,20 @@
+ is($stream->md5_sum, 'ab07acbb1e496801937adfa772424bf7',
+     'right md5 checksum');
+ 
++# sha1_bytes
++$stream = b('foo bar baz');
++is( unpack('H*', $stream->sha1_bytes),
++    "c7567e8b39e2428e38bf9c9226ac68de4c67dc39",
++    'right binary sha1 checksum'
++);
++
++# sha1_sum
++$stream = b('foo bar baz');
++is( $stream->sha1_sum,
++    'c7567e8b39e2428e38bf9c9226ac68de4c67dc39',
++    'right sha1 checksum'
++);
++
+ # length
+ $stream = b('foo bar baz');
+ is($stream->size, 11, 'size is 11');
+@@ -147,20 +161,74 @@
+ is($stream->size,      1,   'size is 1');
+ is($stream->to_string, '0', 'right buffer content');
+ 
+-# hmac_md5_sum
+-is( b('some secret message')->hmac_md5_sum('secret'),
+-    '5a7dcc4c407032ad10758abdda017f7b',
++# hmac_md5_sum (RFC2202)
++is( b("Hi There")->hmac_md5_sum(chr(0x0b) x 16),
++    '9294727a3638bb1c13f48ef8158bfc9d',
++    'right hmac md5 checksum'
++);
++is( b("what do ya want for nothing?")->hmac_md5_sum("Jefe"),
++    '750c783e6ab0b503eaa86e310a5db738',
++    'right hmac md5 checksum'
++);
++is( b(chr(0xdd) x 50)->hmac_md5_sum(chr(0xaa) x 16),
++    '56be34521d144c88dbb8c733f0e8b3f6',
++    'right hmac md5 checksum'
++);
++is( b(chr(0xcd) x 50)->hmac_md5_sum(
++        pack 'H*' => '0102030405060708090a0b0c0d0e0f10111213141516171819'
++    ),
++    '697eaf0aca3a3aea3a75164746ffaa79',
++    'right hmac md5 checksum'
++);
++is( b("Test With Truncation")->hmac_md5_sum(chr(0x0c) x 16),
++    '56461ef2342edc00f9bab995690efd4c',
+     'right hmac md5 checksum'
+ );
+-is( b('some other message')->hmac_md5_sum('secret'),
+-    '9ab78f427440259a33abb088d4400526',
++is( b("Test Using Larger Than Block-Size Key - Hash Key First")
++      ->hmac_md5_sum(chr(0xaa) x 80),
++    '6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd',
+     'right hmac md5 checksum'
+ );
+-is( b('some secret message')->hmac_md5_sum('secret'),
+-    '5a7dcc4c407032ad10758abdda017f7b',
++is( b(  "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"
++      )->hmac_md5_sum(chr(0xaa) x 80),
++    '6f630fad67cda0ee1fb1f562db3aa53e',
+     'right hmac md5 checksum'
+ );
+ 
++# hmac_sha1_sum (RFC2202)
++is( b("Hi There")->hmac_sha1_sum(chr(0x0b) x 20),
++    'b617318655057264e28bc0b6fb378c8ef146be00',
++    'right hmac sha1 checksum'
++);
++is( b("what do ya want for nothing?")->hmac_sha1_sum("Jefe"),
++    'effcdf6ae5eb2fa2d27416d5f184df9c259a7c79',
++    'right hmac sha1 checksum'
++);
++is( b(chr(0xdd) x 50)->hmac_sha1_sum(chr(0xaa) x 20),
++    '125d7342b9ac11cd91a39af48aa17b4f63f175d3',
++    'right hmac sha1 checksum'
++);
++is( b(chr(0xcd) x 50)->hmac_sha1_sum(
++        pack 'H*' => '0102030405060708090a0b0c0d0e0f10111213141516171819'
++    ),
++    '4c9007f4026250c6bc8414f9bf50c86c2d7235da',
++    'right hmac sha1 checksum'
++);
++is( b("Test With Truncation")->hmac_sha1_sum(chr(0x0c) x 20),
++    '4c1a03424b55e07fe7f27be1d58bb9324a9a5a04',
++    'right hmac sha1 checksum'
++);
++is( b("Test Using Larger Than Block-Size Key - Hash Key First")
++      ->hmac_sha1_sum(chr(0xaa) x 80),
++    'aa4ae5e15272d00e95705637ce8a3b55ed402112',
++    'right hmac sha1 checksum'
++);
++is( b(  "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"
++      )->hmac_sha1_sum(chr(0xaa) x 80),
++    'e8e99d0f45237d786d6bbaa7965c7808bbff1a91',
++    'right hmac sha1 checksum'
++);
++
+ # html_escape
+ $stream = b('foobar<baz>');
+ is($stream->html_escape, 'foobar&lt;baz&gt;', 'right html escaped result');

Modified: branches/squeeze/libmojolicious-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/series?rev=74336&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/series (original)
+++ branches/squeeze/libmojolicious-perl/debian/patches/series Fri May 13 18:01:17 2011
@@ -1,3 +1,4 @@
 622952-path-traversal-vulnerability.patch
 improve-RFC3986-compliance-of-Mojo-Path.patch
 626135-fix-xss-issue-in-link_to-helper.patch
+fix-CVE-2010-4803.patch

More information about the Pkg-perl-cvs-commits mailing list