[SCM] Debian packaging of libcgi-pm-perl branch, master, updated. debian/3.61-1-2-g2a17950
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 24 07:04:41 UTC 2012
The following commit has been merged in the master branch:
commit a707e6ff01953484c08917749d796b6bc3568939
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sat Nov 24 07:35:57 2012 +0100
Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
[SECURITY] CVE-2012-5526: Newline injection due to improper CRLF
escaping in Set-Cookie and P3P headers.
Thanks: Niko Tyni <ntyni at debian.org>
Closes: #693421
diff --git a/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch b/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
new file mode 100644
index 0000000..6d398ec
--- /dev/null
+++ b/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
@@ -0,0 +1,67 @@
+From d5f9eaeea977edd24b3e6fdec7871ab254733ba4 Mon Sep 17 00:00:00 2001
+From: Ryo Anazawa <anazawa at cpan.org>
+Date: Wed, 14 Nov 2012 09:47:32 +0900
+Subject: [PATCH] CR escaping for P3P and Set-Cookie headers
+
+---
+ lib/CGI.pm | 24 ++++++++++++------------
+ t/headers.t | 6 ++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1501,8 +1501,17 @@
+ 'EXPIRES','NPH','CHARSET',
+ 'ATTACHMENT','P3P'], at p);
+
++ # Since $cookie and $p3p may be array references,
++ # we must stringify them before CR escaping is done.
++ my @cookie;
++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
++ push(@cookie,$cs) if defined $cs and $cs ne '';
++ }
++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
++
+ # CR escaping for values, per RFC 822
+- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
++ for my $header ($type,$status, at cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
+ if (defined $header) {
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+@@ -1546,18 +1555,9 @@
+
+ push(@header,"Status: $status") if $status;
+ push(@header,"Window-Target: $target") if $target;
+- if ($p3p) {
+- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
+- }
++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
+ # push all the cookies -- there may be several
+- if ($cookie) {
+- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
+- for (@cookie) {
+- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+- push(@header,"Set-Cookie: $cs") if $cs ne '';
+- }
+- }
++ push(@header,map {"Set-Cookie: $_"} @cookie);
+ # if the user indicates an expiration time, then we need
+ # both an Expires and a Date header (so that the browser is
+ # uses OUR clock)
+--- a/t/headers.t
++++ b/t/headers.t
+@@ -22,6 +22,12 @@
+ like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
++
++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
++
+ eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+ like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+
diff --git a/debian/patches/series b/debian/patches/series
index e27d884..8de85fc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
man-cgi-fast.patch
+0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
--
Debian packaging of libcgi-pm-perl
More information about the Pkg-perl-cvs-commits
mailing list