On Thu, Jan 13, 2011 at 10:35:00PM +0000, Adam D. Barratt wrote: > On Thu, 2011-01-13 at 22:55 +0100, gregor herrmann wrote: > > I've now uploaded
> > - 3.38-2lenny2 > I've flagged the lenny package to be accepted at the next dinstall; While preparing the perl lenny upload I had a look at this. I see Gregor used my proposed patch from 27 Dec [1]; however I later noticed at least the doc addition in CGI.pm is wrong [2]. Upstream is going to change the documentation back rather than change the behaviour [3], so I don't think we should be including this change. While at it, I'm pretty sure the //s change in the previous hunk is a no-op (because the earlier change makes sure there are no newlines in @other) and I'm not including it with the perl uploads. Eyeballs welcome of course. So I'd like permission to upload libcgi-pm-perl 3.38-2lenny3 as seen in the attachments - the first one is the debdiff against 3.38-2lenny2 in proposed-updates, the second one is against 3.38-2lenny1 in stable. Gregor, I hope you're OK with this? I'm sorry I failed to communicate this better; the bug log is getting rather long and I can certainly see the potential for things to get lost. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#44 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370#86 [3] http://rt.cpan.org/Public/Bug/Display.html?id=64554 Cheers, -- Niko Tyni nt...@debian.org
diff -u libcgi-pm-perl-3.38/debian/changelog libcgi-pm-perl-3.38/debian/changelog --- libcgi-pm-perl-3.38/debian/changelog +++ libcgi-pm-perl-3.38/debian/changelog @@ -1,3 +1,11 @@ +libcgi-pm-perl (3.38-2lenny3) stable; urgency=low + + * Slightly amend the previous patch: + + drop an incorrect documentation change + + drop an unnecessary regexp modifier change + + -- Niko Tyni <nt...@debian.org> Fri, 14 Jan 2011 13:27:36 +0200 + libcgi-pm-perl (3.38-2lenny2) stable; urgency=low * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761, diff -u libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch --- libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch +++ libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch @@ -46,34 +46,6 @@ $nph ||= $NPH; $type ||= 'text/html' unless defined($type); -@@ -1482,7 +1506,7 @@ - # need to fix it up a little. - foreach (@other) { - # Don't use \s because of perl bug 21951 -- next unless my($header,$value) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/; -+ next unless my($header,$value) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s; - ($_ = $header) =~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e; - } - -@@ -5101,6 +5125,18 @@ - - P3P: policyref="/w3c/p3p.xml" cp="CAO DSP LAW CURa" - -+Note that if a header value contains a carriage return, a leading space will be -+added to each new line that doesn't already have one as specified by RFC2616 -+section 4.2. For example: -+ -+ print header( -ingredients => "ham\neggs\nbacon" ); -+ -+will generate -+ -+ Ingredients: ham -+ eggs -+ bacon -+ - =head2 GENERATING A REDIRECTION HEADER - - print redirect('http://somewhere.else/in/movie/land'); --- /dev/null +++ b/t/headers.t @@ -0,0 +1,47 @@
diff -u libcgi-pm-perl-3.38/debian/changelog libcgi-pm-perl-3.38/debian/changelog --- libcgi-pm-perl-3.38/debian/changelog +++ libcgi-pm-perl-3.38/debian/changelog @@ -1,3 +1,19 @@ +libcgi-pm-perl (3.38-2lenny3) stable; urgency=low + + * Slightly amend the previous patch: + + drop an incorrect documentation change + + drop an unnecessary regexp modifier change + + -- Niko Tyni <nt...@debian.org> Fri, 14 Jan 2011 13:27:36 +0200 + +libcgi-pm-perl (3.38-2lenny2) stable; urgency=low + + * [SECURITY] Add a patch with the backported fixes for CVE-2010-2761, + CVE-2010-4410, and CVE-2010-4411; thanks to Niko Tyni for preparing the + patch (closes: #606370). + + -- gregor herrmann <gre...@debian.org> Thu, 13 Jan 2011 22:49:36 +0100 + libcgi-pm-perl (3.38-2lenny1) stable; urgency=low * Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape(). diff -u libcgi-pm-perl-3.38/debian/patches/series libcgi-pm-perl-3.38/debian/patches/series --- libcgi-pm-perl-3.38/debian/patches/series +++ libcgi-pm-perl-3.38/debian/patches/series @@ -2,0 +3 @@ +CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch only in patch2: unchanged: --- libcgi-pm-perl-3.38.orig/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch +++ libcgi-pm-perl-3.38/debian/patches/CVE-2010-2761_CVE-2010-4410_CVE-2010-4411.patch @@ -0,0 +1,121 @@ +Description: backport fixes for CVE-2010-2761, CVE-2010-4410, CVE-2010-4411 from 3.50 and 3.51 +Bug: http://bugs.debian.org/606370 +Author: Niko Tyni <nt...@debian.org> +Reviewed-by: gregor herrmann <gre...@debian.org> +Last-Update: 2011-01-13 + +--- a/CGI.pm ++++ b/CGI.pm +@@ -1382,7 +1382,14 @@ + sub multipart_init { + my($self,@p) = self_or_default(@_); + my($boundary,@other) = rearrange([BOUNDARY],@p); +- $boundary = $boundary || '------- =_aaaaaaaaaa0'; ++ if (!$boundary) { ++ $boundary = '------- =_'; ++ my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z'); ++ for (1..17) { ++ $boundary .= $chrs[rand(scalar @chrs)]; ++ } ++ } ++ + $self->{'separator'} = "$CRLF--$boundary$CRLF"; + $self->{'final_separator'} = "$CRLF--$boundary--$CRLF"; + $type = SERVER_PUSH($boundary); +@@ -1467,6 +1474,23 @@ + 'EXPIRES','NPH','CHARSET', + 'ATTACHMENT','P3P'],@p); + ++ # CR escaping for values, per RFC 822 ++ for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { ++ if (defined $header) { ++ # From RFC 822: ++ # Unfolding is accomplished by regarding CRLF immediately ++ # followed by a LWSP-char as equivalent to the LWSP-char. ++ $header =~ s/$CRLF(\s)/$1/g; ++ ++ # All other uses of newlines are invalid input. ++ if ($header =~ m/$CRLF|\015|\012/) { ++ # shorten very long values in the diagnostic ++ $header = substr($header,0,72).'...' if (length $header > 72); ++ die "Invalid header value contains a newline not followed by whitespace: $header"; ++ } ++ } ++ } ++ + $nph ||= $NPH; + + $type ||= 'text/html' unless defined($type); +--- /dev/null ++++ b/t/headers.t +@@ -0,0 +1,47 @@ ++ ++# Test that header generation is spec compliant. ++# References: ++# http://www.w3.org/Protocols/rfc2616/rfc2616.html ++# http://www.w3.org/Protocols/rfc822/3_Lexical.html ++ ++use strict; ++use warnings; ++ ++use Test::More 'no_plan'; ++ ++use CGI; ++ ++my $cgi = CGI->new; ++ ++like $cgi->header( -type => "text/html" ), ++ qr#Type: text/html#, 'known header, basic case: type => "text/html"'; ++ ++eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) }; ++like($@,qr/contains a newline/,'invalid header blows up'); ++ ++like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ), ++ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line'; ++ ++eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; ++like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up'); ++ ++eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) }; ++like($@,qr/contains a newline/, 'unknown header with leading newlines blows up'); ++ ++eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) }; ++like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up'); ++ ++eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; ++like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up'); ++ ++eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") }; ++like($@,qr/contains a newline/,'redirect with leading newlines blows up'); ++ ++{ ++ my $cgi = CGI->new('t=bogus%0A%0A<html>'); ++ my $out; ++ eval { $out = $cgi->redirect( $cgi->param('t') ) }; ++ like($@,qr/contains a newline/, "redirect does not allow double-newline injection"); ++} ++ ++ +--- /dev/null ++++ b/t/multipart_init.t +@@ -0,0 +1,20 @@ ++use Test::More 'no_plan'; ++ ++use CGI; ++ ++my $q = CGI->new; ++ ++my $sv = $q->multipart_init; ++like( $sv, qr|Content-Type: multipart/x-mixed-replace;boundary="------- =|, 'multipart_init(), basic'); ++ ++like( $sv, qr/$CGI::CRLF$/, 'multipart_init(), ends in CRLF' ); ++ ++$sv = $q->multipart_init( 'this_is_the_boundary' ); ++like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init("simple_boundary")' ); ++$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' ); ++like($sv, ++ qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')"); ++ ++$sv = $q->multipart_init; ++my $sv2 = $q->multipart_init; ++isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results");