Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection

Sat Nov 24 07:29:04 UTC 2012

Hi

short addition to the mail before which I missed: For a possible t-p-u
upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.

Regards,
Salvatore
-------------- next part --------------
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/changelog libcgi-pm-perl-3.59+dfsg/debian/changelog

--- libcgi-pm-perl-3.59+dfsg/debian/changelog	2011-12-30 20:36:13.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/changelog	2012-11-24 08:27:32.000000000 +0100
@@ -1,3 +1,13 @@
+libcgi-pm-perl (3.59+dfsg-1+deb7u1) testing-proposed-updates; urgency=high
+
+  * Team upload.
+  * Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
+    [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF
+    escaping in Set-Cookie and P3P headers.
+    Thanks to Niko Tyni <ntyni at debian.org> (Closes: #693421)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 24 Nov 2012 07:39:11 +0100
+
 libcgi-pm-perl (3.59+dfsg-1) unstable; urgency=low
 
   * New upstream release
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/gbp.conf libcgi-pm-perl-3.59+dfsg/debian/gbp.conf
--- libcgi-pm-perl-3.59+dfsg/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/gbp.conf	2012-11-24 08:27:32.000000000 +0100
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = wheezy
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
--- libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch	2012-11-24 08:27:32.000000000 +0100
@@ -0,0 +1,67 @@
+From d5f9eaeea977edd24b3e6fdec7871ab254733ba4 Mon Sep 17 00:00:00 2001
+From: Ryo Anazawa <anazawa at cpan.org>
+Date: Wed, 14 Nov 2012 09:47:32 +0900
+Subject: [PATCH] CR escaping for P3P and Set-Cookie headers
+
+---
+ lib/CGI.pm  |   24 ++++++++++++------------
+ t/headers.t |    6 ++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1501,8 +1501,17 @@
+                             'EXPIRES','NPH','CHARSET',
+                             'ATTACHMENT','P3P'], at p);
+ 
++    # Since $cookie and $p3p may be array references,
++    # we must stringify them before CR escaping is done.
++    my @cookie;
++    for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
++        my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
++        push(@cookie,$cs) if defined $cs and $cs ne '';
++    }
++    $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
++
+     # CR escaping for values, per RFC 822
+-    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
++    for my $header ($type,$status, at cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
+         if (defined $header) {
+             # From RFC 822:
+             # Unfolding  is  accomplished  by regarding   CRLF   immediately
+@@ -1546,18 +1555,9 @@
+ 
+     push(@header,"Status: $status") if $status;
+     push(@header,"Window-Target: $target") if $target;
+-    if ($p3p) {
+-       $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+-       push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
+-    }
++    push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
+     # push all the cookies -- there may be several
+-    if ($cookie) {
+-	my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
+-	for (@cookie) {
+-            my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+-	    push(@header,"Set-Cookie: $cs") if $cs ne '';
+-	}
+-    }
++    push(@header,map {"Set-Cookie: $_"} @cookie);
+     # if the user indicates an expiration time, then we need
+     # both an Expires and a Date header (so that the browser is
+     # uses OUR clock)
+--- a/t/headers.t
++++ b/t/headers.t
+@@ -22,6 +22,12 @@
+ like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+     qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+ 
++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
++
++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
++
+ eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+ like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+ 
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/patches/series libcgi-pm-perl-3.59+dfsg/debian/patches/series
--- libcgi-pm-perl-3.59+dfsg/debian/patches/series	2011-12-30 20:36:13.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/patches/series	2012-11-24 08:27:32.000000000 +0100
@@ -1 +1,2 @@
 man-cgi-fast.patch
+0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20121124/f5e41b8a/attachment.pgp>
