-=| gregor herrmann, Tue, Jan 04, 2011 at 07:45:56PM +0100 |=- > Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by > Damyan in our repo (plus tons of unrelated changes that have > accumulated since the last upload :/) but (b) also a new upstream > release: > > http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes > > 1.113 2010-12-27 > - (thanks to Yamada Masahiro) randomise multipart boundary string > (security). > ... > Security: Fix handling of embedded malicious newlines in header > values This is a direct port of the same security fix that > > Security: use a random MIME boundary by default in > multipart_init(). This is a direct port of the same issue > which was addressed in CGI.pm, preventing some kinds of > potential header injection attacks. > > Port from CGI.pm: Fix multi-line header parsing. > This fix is covered by the tests in t/header.t added in > the previous patch. If you run those tests without this > patch, you'll see how the headers would be malformed > without this fix. > > Port CRLF injection prevention from CGI.pm > > I'm not sure what the best way to proceed is here; mabye Damyan has > more ideas since he's already worked on that package? The upstream fix mirrors the fixes to CGI.pm, almost completely. The "newline in headers" check misses a later change in CGI.pm which still has to be applied as a patch. (CGI::Simple is a classic example of why code duplication is bad). Since the versions of libcgi-simple-perl in testing and unstable are the same, I propose the following: 1. For getting fixes to squeeze: a. Branch from 1.111-1 (sid/squeeze), pick relevant changes from the new upstream release (plus the additional haders check) and upload 1.111-2 to unstable (high priority). b. alternatively, it is easier for us to upload the new upstream release (plus the additional headers check patch), but that would contain irrelevant changes that I think won't be wanted at this release stage. 2. For stable: a. Pick the relevant patches for lenny version and upload 1.105-2 to stable-proposed-updates Unless advised otherwise, I'll proceed with 1.a. and 2.a. Note that lately I am better at drawing plans than in implementing them, so help is greatly appreciated.
Attachment:
signature.asc
Description: Digital signature