Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Niko Tyni
ntyni at debian.org
Fri Jan 14 11:40:15 UTC 2011
On Thu, Jan 13, 2011 at 10:35:00PM +0000, Adam D. Barratt wrote:
> On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote:
> > I've now uploaded
> > - 3.38-2lenny2
> I've flagged the lenny package to be accepted at the next dinstall;
While preparing the perl lenny upload I had a look at this. I see Gregor
used my proposed patch from 27 Dec [1]; however I later noticed at least
the doc addition in CGI.pm is wrong [2].
Upstream is going to change the documentation back rather than change
the behaviour [3], so I don't think we should be including this change.
While at it, I'm pretty sure the //s change in the previous hunk is a
no-op (because the earlier change makes sure there are no newlines in
@other) and I'm not including it with the perl uploads. Eyeballs welcome
of course.
So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in
the attachments - the first one is the debdiff against 3.38-2lenny2 in
proposed-updates, the second one is against 3.38-2lenny1 in stable.
Gregor, I hope you're OK with this?
I'm sorry I failed to communicate this better; the bug log is getting
rather long and I can certainly see the potential for things to get lost.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#44
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#86
[3] http://rt.cpan.org/Public/Bug/Display.html?id=64554
Cheers,
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
diff -u libcgi-pm-perl-3.38/debian/changelog libcgi-pm-perl-3.38/debian/changelog
--- libcgi-pm-perl-3.38/debian/changelog
+++ libcgi-pm-perl-3.38/debian/changelog
@@ -1,3 +1,11 @@
+libcgi-pm-perl (3.38-2lenny3) stable; urgency=low
+
+ * Slightly amend the previous patch:
+ + drop an incorrect documentation change
+ + drop an unnecessary regexp modifier change
+
+ -- Niko Tyni <ntyni at debian.org> Fri, 14 Jan 2011 13:27:36 +0200
+
libcgi-pm-perl (3.38-2lenny2) stable; urgency=low
* [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
diff -u libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
--- libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
+++ libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
@@ -46,34 +46,6 @@
$nph ||= $NPH;
$type ||= 'text/html' unless defined($type);
-@@ -1482,7 +1506,7 @@
- # need to fix it up a little.
- foreach (@other) {
- # Don't use \s because of perl bug 21951
-- next unless my($header,$value) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/;
-+ next unless my($header,$value) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s;
- ($_ = $header) =~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e;
- }
-
-@@ -5101,6 +5125,18 @@
-
- P3P: policyref="/w3c/p3p.xml" cp="CAO DSP LAW CURa"
-
-+Note that if a header value contains a carriage return, a leading space will be
-+added to each new line that doesn't already have one as specified by RFC2616
-+section 4.2. For example:
-+
-+ print header( -ingredients => "ham\neggs\nbacon" );
-+
-+will generate
-+
-+ Ingredients: ham
-+ eggs
-+ bacon
-+
- =head2 GENERATING A REDIRECTION HEADER
-
- print redirect('http://somewhere.else/in/movie/land');
--- /dev/null
+++ b/t/headers.t
@@ -0,0 +1,47 @@
-------------- next part --------------
diff -u libcgi-pm-perl-3.38/debian/changelog libcgi-pm-perl-3.38/debian/changelog
--- libcgi-pm-perl-3.38/debian/changelog
+++ libcgi-pm-perl-3.38/debian/changelog
@@ -1,3 +1,19 @@
+libcgi-pm-perl (3.38-2lenny3) stable; urgency=low
+
+ * Slightly amend the previous patch:
+ + drop an incorrect documentation change
+ + drop an unnecessary regexp modifier change
+
+ -- Niko Tyni <ntyni at debian.org> Fri, 14 Jan 2011 13:27:36 +0200
+
+libcgi-pm-perl (3.38-2lenny2) stable; urgency=low
+
+ * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
+ CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the
+ patch (closes: #606370).
+
+ -- gregor herrmann <gregoa at debian.org> Thu, 13 Jan 2011 22:49:36 +0100
+
libcgi-pm-perl (3.38-2lenny1) stable; urgency=low
* Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape().
diff -u libcgi-pm-perl-3.38/debian/patches/series libcgi-pm-perl-3.38/debian/patches/series
--- libcgi-pm-perl-3.38/debian/patches/series
+++ libcgi-pm-perl-3.38/debian/patches/series
@@ -2,0 +3 @@
+CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
only in patch2:
unchanged:
--- libcgi-pm-perl-3.38.orig/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
+++ libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch
@@ -0,0 +1,121 @@
+Description: backport fixes for CVE-2010-2761, CVE-2010-4410, CVE-2010-4411 from 3.50 and 3.51
+Bug: http://bugs.debian.org/606370
+Author: Niko Tyni <ntyni at debian.org>
+Reviewed-by: gregor herrmann <gregoa at debian.org>
+Last-Update: 2011-01-13
+
+--- a/CGI.pm
++++ b/CGI.pm
+@@ -1382,7 +1382,14 @@
+ sub multipart_init {
+ my($self, at p) = self_or_default(@_);
+ my($boundary, at other) = rearrange([BOUNDARY], at p);
+- $boundary = $boundary || '------- =_aaaaaaaaaa0';
++ if (!$boundary) {
++ $boundary = '------- =_';
++ my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
++ for (1..17) {
++ $boundary .= $chrs[rand(scalar @chrs)];
++ }
++ }
++
+ $self->{'separator'} = "$CRLF--$boundary$CRLF";
+ $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
+ $type = SERVER_PUSH($boundary);
+@@ -1467,6 +1474,23 @@
+ 'EXPIRES','NPH','CHARSET',
+ 'ATTACHMENT','P3P'], at p);
+
++ # CR escaping for values, per RFC 822
++ for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
++ if (defined $header) {
++ # From RFC 822:
++ # Unfolding is accomplished by regarding CRLF immediately
++ # followed by a LWSP-char as equivalent to the LWSP-char.
++ $header =~ s/$CRLF(\s)/$1/g;
++
++ # All other uses of newlines are invalid input.
++ if ($header =~ m/$CRLF|\015|\012/) {
++ # shorten very long values in the diagnostic
++ $header = substr($header,0,72).'...' if (length $header > 72);
++ die "Invalid header value contains a newline not followed by whitespace: $header";
++ }
++ }
++ }
++
+ $nph ||= $NPH;
+
+ $type ||= 'text/html' unless defined($type);
+--- /dev/null
++++ b/t/headers.t
+@@ -0,0 +1,47 @@
++
++# Test that header generation is spec compliant.
++# References:
++# http://www.w3.org/Protocols/rfc2616/rfc2616.html
++# http://www.w3.org/Protocols/rfc822/3_Lexical.html
++
++use strict;
++use warnings;
++
++use Test::More 'no_plan';
++
++use CGI;
++
++my $cgi = CGI->new;
++
++like $cgi->header( -type => "text/html" ),
++ qr#Type: text/html#, 'known header, basic case: type => "text/html"';
++
++eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'invalid header blows up');
++
++like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
++ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
++
++eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
++
++eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) };
++like($@,qr/contains a newline/, 'unknown header with leading newlines blows up');
++
++eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up');
++
++eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
++like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up');
++
++eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") };
++like($@,qr/contains a newline/,'redirect with leading newlines blows up');
++
++{
++ my $cgi = CGI->new('t=bogus%0A%0A<html>');
++ my $out;
++ eval { $out = $cgi->redirect( $cgi->param('t') ) };
++ like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
++}
++
++
+--- /dev/null
++++ b/t/multipart_init.t
+@@ -0,0 +1,20 @@
++use Test::More 'no_plan';
++
++use CGI;
++
++my $q = CGI->new;
++
++my $sv = $q->multipart_init;
++like( $sv, qr|Content-Type: multipart/x-mixed-replace;boundary="------- =|, 'multipart_init(), basic');
++
++like( $sv, qr/$CGI::CRLF$/, 'multipart_init(), ends in CRLF' );
++
++$sv = $q->multipart_init( 'this_is_the_boundary' );
++like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init("simple_boundary")' );
++$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );
++like($sv,
++ qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')");
++
++$sv = $q->multipart_init;
++my $sv2 = $q->multipart_init;
++isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results");
More information about the pkg-perl-maintainers
mailing list