OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 02-Oct-2003 15:24:59
Branch: HEAD Handle: 2003100214245602
Modified files:
openpkg-src/perl56 perl56.patch perl56.spec
openpkg-web news.txt
Log:
SA-2003.039-perl; CAN-2003-0615 (porting from perl-5.8.0)
Summary:
Revision Changes Path
1.3 +30 -0 openpkg-src/perl56/perl56.patch
1.8 +1 -1 openpkg-src/perl56/perl56.spec
1.6817 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/perl56/perl56.patch
============================================================================
$ cvs diff -u -r1.2 -r1.3 perl56.patch
--- openpkg-src/perl56/perl56.patch 3 Sep 2003 12:48:22 -0000 1.2
+++ openpkg-src/perl56/perl56.patch 2 Oct 2003 13:24:58 -0000 1.3
@@ -167,3 +167,33 @@
if (chdir "lib") {
$do_installarchlib = ! samepath($installarchlib, '.');
+
+http://stein.cshl.org/WWW/software/CGI/
+ under "Revision History" find "Fixed cross-site scripting bug
+ reported by obscure" note attached to Version 2.94. A quick fix was
+ introduced in 2.94. It was replaced by a more careful patch in 2.99.
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
+ Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
+ allows remote attackers to insert web script via a URL that is fed
+ into the form's action parameter
+
+This is a backport of the 2.99 patch for 2.752 which is the version
+embedded with perl 5.6.1
+
+--- lib/CGI.pm.orig 2001-03-03 20:53:20.000000000 +0100
++++ lib/CGI.pm 2003-10-02 15:18:00.000000000 +0200
+@@ -1498,8 +1498,11 @@
+ $enctype = $enctype || &URL_ENCODED;
+ unless (defined $action) {
+ $action = $self->url(-absolute=>1,-path=>1);
+- $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING};
++ if (length($ENV{QUERY_STRING})>0) {
++ $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
++ }
+ }
++ $action = escape($action);
+ $action = qq(action="$action");
+ my($other) = @other ? " @other" : '';
+ $self->{'.parametersToAdd'}={};
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/perl56/perl56.spec
============================================================================
$ cvs diff -u -r1.7 -r1.8 perl56.spec
--- openpkg-src/perl56/perl56.spec 3 Sep 2003 12:48:22 -0000 1.7
+++ openpkg-src/perl56/perl56.spec 2 Oct 2003 13:24:58 -0000 1.8
@@ -33,7 +33,7 @@
Group: Language
License: GPL/Artistic
Version: 5.6.1
-Release: 20030903
+Release: 20031002
# list of sources
Source0: ftp://ftp.cpan.org/pub/CPAN/src/perl-%{version}.tar.gz
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.6816 -r1.6817 news.txt
--- openpkg-web/news.txt 2 Oct 2003 12:21:12 -0000 1.6816
+++ openpkg-web/news.txt 2 Oct 2003 13:24:56 -0000 1.6817
@@ -1,3 +1,4 @@
+02-Oct-2003: Upgraded package: P<perl56-5.6.1-20031002>
02-Oct-2003: Upgraded package: P<qpopper-4.0.5-1.3.1>
02-Oct-2003: Upgraded package: P<netpbm-10.11.14-20031002>
02-Oct-2003: Upgraded package: P<uvscan-4.24+4296-20031002>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
