Date: Tuesday, December 11, 2012 @ 17:04:41 Author: bluewind Revision: 173161
upgpkg: perl 5.16.2-2 fix CVE-2012-5526 Added: perl/trunk/cgi-cr-escaping.diff Modified: perl/trunk/PKGBUILD ----------------------+ PKGBUILD | 12 +++++-- cgi-cr-escaping.diff | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 4 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2012-12-11 22:02:57 UTC (rev 173160) +++ PKGBUILD 2012-12-11 22:04:41 UTC (rev 173161) @@ -6,20 +6,22 @@ # Contributor: francois <francois.archlinux.org> pkgname=perl pkgver=5.16.2 -pkgrel=1 +pkgrel=2 pkgdesc="A highly capable, feature-rich programming language" arch=(i686 x86_64) license=('GPL' 'PerlArtistic') url="http://www.perl.org" groups=('base') depends=('gdbm' 'db' 'coreutils' 'glibc' 'sh') -source=(http://www.cpan.org/src/5.0/perl-${pkgver}.tar.bz2 +source=(http://www.cpan.org/src/5.0/perl-${pkgver}.tar.bz2 +cgi-cr-escaping.diff perlbin.sh perlbin.csh provides.pl) install=perl.install options=('makeflags' '!purge') md5sums=('2818ab01672f005a4e552a713aa27b08' + '0486659c9eefe682364a3e364d814296' '5ed2542fdb9a60682f215bd33701e61a' '1f0cbbee783e8a6d32f01be5118e0d5e' '999c3eea6464860704abbb055a0f0896') @@ -32,10 +34,12 @@ build() { cd ${srcdir}/${pkgname}-${pkgver} + patch -i "$srcdir/cgi-cr-escaping.diff" -p1 + if [ "${CARCH}" = "x86_64" ]; then # for x86_64 arch_opts="-Dcccdlflags='-fPIC'" - else + else # for i686 arch_opts="" fi @@ -94,7 +98,7 @@ # Profile script to set paths to perl scripts. install -D -m755 ${srcdir}/perlbin.sh \ ${pkgdir}/etc/profile.d/perlbin.sh - # Profile script to set paths to perl scripts on csh. (FS#22441) + # Profile script to set paths to perl scripts on csh. (FS#22441) install -D -m755 ${srcdir}/perlbin.csh \ ${pkgdir}/etc/profile.d/perlbin.csh Added: cgi-cr-escaping.diff =================================================================== --- cgi-cr-escaping.diff (rev 0) +++ cgi-cr-escaping.diff 2012-12-11 22:04:41 UTC (rev 173161) @@ -0,0 +1,75 @@ +From 18b607e4544c0cffc85207a8f9901ba37ac917d9 Mon Sep 17 00:00:00 2001 +From: Ryo Anazawa <anaz...@cpan.org> +Date: Wed, 14 Nov 2012 09:47:32 +0900 +Subject: CR escaping for P3P and Set-Cookie headers + +Bug: https://github.com/markstos/CGI.pm/pull/23 +Bug-Debian: http://bugs.debian.org/693420 +Origin: https://github.com/markstos/CGI.pm/commit/cb39938b45206093a363e36fd104e4a0f26deecb +Patch-Name: fixes/cgi-cr-escaping.diff +--- + cpan/CGI/lib/CGI.pm | 24 ++++++++++++------------ + cpan/CGI/t/headers.t | 6 ++++++ + 2 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm +index 1a52c70..c70e9c1 100644 +--- a/cpan/CGI/lib/CGI.pm ++++ b/cpan/CGI/lib/CGI.pm +@@ -1550,8 +1550,17 @@ sub header { + 'EXPIRES','NPH','CHARSET', + 'ATTACHMENT','P3P'],@p); + ++ # Since $cookie and $p3p may be array references, ++ # we must stringify them before CR escaping is done. ++ my @cookie; ++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) { ++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; ++ push(@cookie,$cs) if defined $cs and $cs ne ''; ++ } ++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; ++ + # CR escaping for values, per RFC 822 +- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { ++ for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { + if (defined $header) { + # From RFC 822: + # Unfolding is accomplished by regarding CRLF immediately +@@ -1595,18 +1604,9 @@ sub header { + + push(@header,"Status: $status") if $status; + push(@header,"Window-Target: $target") if $target; +- if ($p3p) { +- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; +- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p")); +- } ++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p; + # push all the cookies -- there may be several +- if ($cookie) { +- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie; +- for (@cookie) { +- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; +- push(@header,"Set-Cookie: $cs") if $cs ne ''; +- } +- } ++ push(@header,map {"Set-Cookie: $_"} @cookie); + # if the user indicates an expiration time, then we need + # both an Expires and a Date header (so that the browser is + # uses OUR clock) +diff --git a/cpan/CGI/t/headers.t b/cpan/CGI/t/headers.t +index 661b74b..4b4922c 100644 +--- a/cpan/CGI/t/headers.t ++++ b/cpan/CGI/t/headers.t +@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up'); + like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ), + qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line'; + ++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up'); ++ ++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up'); ++ + eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; + like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up'); +