Bug#629511: marked as done (can report invalid data as valid in untaint mode)

Debian Bug Tracking System Mon, 19 Dec 2011 12:06:25 -0800

Your message dated Mon, 19 Dec 2011 20:04:31 +0000
with message-id <[email protected]>
and subject line Bug#629511: fixed in libdata-formvalidator-perl 4.66-1+squeeze1
has caused the Debian Bug report #629511,
regarding can report invalid data as valid in untaint mode
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
629511: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libdata-formvalidator-perl
Version: 4.66-2
Severity: important
Tags: security squeeze sid wheezy upstream
Forwarded: https://rt.cpan.org/Ticket/Display.html?id=61792

If there is a previous match in $&, the validation routine erroneously 
returns success:

$ perl <<'EOF'
use Data::FormValidator;

"bug" =~ /b/;

my $result = Data::FormValidator->check(
    { a => 'b' },   # input data
    {   # validation profile
        untaint_all_constraints => 1,
        optional => [ 'a' ],
        constraints => {
            a => qr/a/,     # RE that must match
        },
    },
);
print $result->success, "\n";
EOF
1
$

The following patch fixes the bug by correcting the check for a 
successful match.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
--- a/lib/Data/FormValidator/Results.pm
+++ b/lib/Data/FormValidator/Results.pm
@@ -807,7 +807,7 @@ sub _create_sub_from_RE {
             # With methods, the value is the second argument
             my $val = $force_method_p ? $_[1] : $_[0];
             my ($match) = scalar ($val =~ $re);
-            if ($untaint_this && defined $match) {
+            if ($untaint_this && $match) {
                 # pass the value through a RE that matches anything to untaint 
it.
                 my ($untainted) = ($&  =~ m/(.*)/s);
                 return $untainted;
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

I plan to push this via squeeze-updates, unless the security team 
considers it suitable for a DSA.


Cheers!

-- System Information:
Debian Release: wheezy/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.utf8, LC_CTYPE=bg_BG.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libdata-formvalidator-perl depends on:
ii  libemail-valid-perl         0.184-1      Perl module for checking the valid
ii  libfile-mmagic-perl         1.27-1       Perl module to guess file type
ii  libimage-size-perl          3.230-1      module for determining image sizes
ii  libmime-types-perl          1.30-1       Perl extension for determining MIM
ii  libperl6-junction-perl      1.40000-1    Perl6 style Junction operators in 
ii  libregexp-common-perl       2011041701-1 module with common regular express
ii  perl                        5.12.3-7     Larry Wall's Practical Extraction 

Versions of packages libdata-formvalidator-perl recommends:
ii  libdate-calc-perl             6.0-2+b1   Perl library for accessing dates

libdata-formvalidator-perl suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libdata-formvalidator-perl
Source-Version: 4.66-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libdata-formvalidator-perl, which is due to be installed in the Debian FTP 
archive:

libdata-formvalidator-perl_4.66-1+squeeze1.diff.gz
  to 
main/libd/libdata-formvalidator-perl/libdata-formvalidator-perl_4.66-1+squeeze1.diff.gz
libdata-formvalidator-perl_4.66-1+squeeze1.dsc
  to 
main/libd/libdata-formvalidator-perl/libdata-formvalidator-perl_4.66-1+squeeze1.dsc
libdata-formvalidator-perl_4.66-1+squeeze1_all.deb
  to 
main/libd/libdata-formvalidator-perl/libdata-formvalidator-perl_4.66-1+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated 
libdata-formvalidator-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Dec 2011 15:33:18 +0100
Source: libdata-formvalidator-perl
Binary: libdata-formvalidator-perl
Architecture: source all
Version: 4.66-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Description: 
 libdata-formvalidator-perl - module to validate user input, mainly for HTML 
forms
Closes: 629511
Changes: 
 libdata-formvalidator-perl (4.66-1+squeeze1) stable; urgency=low
 .
   [ Damyan Ivanov ]
   * apply a patch fixing a possible passing of invalid data in untaint mode
     Closes: #629511
     This is CVE-2011-2201.
Checksums-Sha1: 
 c7e024b257765ae5d22ea026f6887437462ae0e6 2655 
libdata-formvalidator-perl_4.66-1+squeeze1.dsc
 eb912074b1fa67989c8d108f8219461828c58299 4133 
libdata-formvalidator-perl_4.66-1+squeeze1.diff.gz
 1c3e365a2f10c8e5c8bc7e5da8d7ca0e28201247 98088 
libdata-formvalidator-perl_4.66-1+squeeze1_all.deb
Checksums-Sha256: 
 b75a523f2719823827aa3a1a6a9f019792fa45045283ab39543c6dbf94ffaa76 2655 
libdata-formvalidator-perl_4.66-1+squeeze1.dsc
 83ee3a7052444e2b6daec2739d693779fb0cc14b03b096266c5d95d13f5b47f0 4133 
libdata-formvalidator-perl_4.66-1+squeeze1.diff.gz
 2273c10fcef18a9af7f6a98c52a0998dc4a27bcdbfc97fe0b5b989b542285819 98088 
libdata-formvalidator-perl_4.66-1+squeeze1_all.deb
Files: 
 d13a2898aad71c32b4043ececbb7ad63 2655 perl optional 
libdata-formvalidator-perl_4.66-1+squeeze1.dsc
 594f4c4b9b1c6e3e50769e9ca2d54b33 4133 perl optional 
libdata-formvalidator-perl_4.66-1+squeeze1.diff.gz
 799b6e91c50f65d709d95107f2731216 98088 perl optional 
libdata-formvalidator-perl_4.66-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO7fpVAAoJELs6aAGGSaoG+R0QALpEJ6abjIk3l3I0cQtEAIw6
Yn+S0wP34rabLeJu+y12vtmIuwAOTcfwk/ilpqvzjq1ozheReZvpHvJkr8sw+irc
XykTgICjDsE9rkop94GbqZClsVMaEiSOHluN5KUZTK9b7jEq78YpUc71eAOsylzC
HUcwJoXkgXA1t7MAclIDGNDZqLfFXeI42SkouvA6RwHr90CKEg2D7Fq0El3SUekq
htUltVcurqKrOKJQg5NcRwk27aWmDPe1y7REHlsmqOYsQCoVV2VrOG1B6qG8ta/p
fRJ8ThKd0r7PtAUGWAD0gchf8Jpg19TAcdXDm0cAX0liHpBq/3yWr7cwh71LjITj
+I1VwYC7agtq2cWq2ncaoDd4/CxCpZMPJJCu5Nmqp871q+rARuwIj8nyyVm2UhD3
InYDR0OLoyEG4QxiMGvc5icNrWqZgzP0lrCdybP7aUZgwF3rvMcveA8I8JjACVA2
hRuqiF/L9LH8andbm1rIUY3Z+6QHS9U+vriiA7IXXl6f85nggN8pgl2Xrahdske3
lb3WcQnO0e2CLENKEG5JVwcLSfXcVIYxRITuE4jnMtCZvLoCACtY3EKRokr5WSJo
OLbx9qYbOi4mpatColxIenzSEDgjj6qPj6DmrDwht7c0MGUiekzHvCiz1grC5xNS
SzM+DgnzH2Ovg8gx0H06
=JIHT
-----END PGP SIGNATURE-----

--- End Message ---

Bug#629511: marked as done (can report invalid data as valid in untaint mode)

Reply via email to