Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
intrigeri
intrigeri at debian.org
Sat Nov 24 16:46:02 UTC 2012
Hi,
Salvatore Bonaccorso wrote (24 Nov 2012 07:29:04 GMT) :
> short addition to the mail before which I missed: For a possible t-p-u
> upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.
TL;DR --> I recommend to accept this unblock request for t-p-u.
I have verified that I could reproduce the security issue on current
Wheezy, that I could not reproduce it after applying this patch, and
that the code still behaves well in the "good" situation (that is when
$CRLF is followed by space) after applying this patch.
The patch looks sane, and I trust Salvatore has correctly
cherry-picked it from upstream.
(BTW, in case someone wants to reproduce these results, one has to
insert a "\r" in the example test case found on the initial report [1]
for this security issue, else one cannot possibly check that the
patched code still behaves well in the "good" situation; resulting
testing code is:
$ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\nbar\r\nbaz", ], -p3p => [ "foo\r\nbar\r\nbaz", ],);'
and:
$ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\n bar\r\n baz", ], -p3p => [ "foo\r\n bar\r\n baz", ],);'
)
[1] https://github.com/markstos/CGI.pm/pull/23
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
More information about the pkg-perl-maintainers
mailing list