[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

On Thu, Jan 06, 2011 at 10:37:11PM +0200, Niko Tyni wrote:
> On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
> 
> > Assuming this is the case, I'm attaching preliminary patches for
> > 
> > 3.29 (perl-modules   / lenny)
> > 3.38 (libcgi-pm-perl / lenny)
> > 3.43 (perl-modules   / squeeze + sid)
> > 3.49 (libcgi-pm-perl / squeeze)
> > 3.50 (libcgi-pm-perl / sid)

> All this means I need another test session when I'm feeling less tired,
> so no perl upload tonight.

Done, just uploaded perl/5.10.1-17 with the attached patch.

Changes: 
 perl (5.10.1-17) unstable; urgency=medium
 .
   * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
     fix CGI.pm MIME boundary and multiline header vulnerabilities.
     (Closes: #606995)

Release team: please consider

 unblock perl/5.10.1-17

The patch applies to lenny (5.10.0-19lenny2) as well with some fuzz after
s/rearrange_header/rearrange/.

Moritz: shall I upload a fixed lenny package to stable-security?
FWIW, I'd prefer to wait the five days for squeeze migration before a
DSA in case we get any regression reports.
-- 
Niko Tyni   ntyni@debian.org

From: Niko Tyni <ntyni@debian.org>
Subject: [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities
Origin: upstream
Bug-Debian: http://bugs.debian.org/606995

CVE-2010-2761 hardcoded MIME boundary, fixed in CGI.pm-3.50
CVE-2010-4410 CRLF injection vulnerability, fixed in CGI.pm-3.50
CVE-2010-4411 double CR/LF injection vulnerability, fixed in CGI.pm-3.51


---
 MANIFEST                   |    2 +
 lib/CGI.pm                 |   26 +++++++++++++++++++++++-
 lib/CGI/t/headers.t        |   47 ++++++++++++++++++++++++++++++++++++++++++++
 lib/CGI/t/multipart_init.t |   20 ++++++++++++++++++
 4 files changed, 94 insertions(+), 1 deletions(-)

diff --git a/MANIFEST b/MANIFEST
index 2b5a968..e0e950f 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1935,7 +1935,9 @@ lib/CGI/t/cookie.t		See if CGI::Cookie works
 lib/CGI/t/fast.t		See if CGI::Fast works (if FCGI is installed)
 lib/CGI/t/form.t		See if CGI.pm works
 lib/CGI/t/function.t		See if CGI.pm works
+lib/CGI/t/headers.t		See if CGI.pm works
 lib/CGI/t/html.t		See if CGI.pm works
+lib/CGI/t/multipart_init.t	See if CGI.pm works
 lib/CGI/t/no_tabindex.t	See if CGI.pm works
 lib/CGI/t/pretty.t		See if CGI.pm works
 lib/CGI/t/push.t		See if CGI::Push works
diff --git a/lib/CGI.pm b/lib/CGI.pm
index 008bc7b..d859e76 100644
--- a/lib/CGI.pm
+++ b/lib/CGI.pm
@@ -1382,7 +1382,14 @@ END_OF_FUNC
 sub multipart_init {
     my($self,@p) = self_or_default(@_);
     my($boundary,@other) = rearrange_header([BOUNDARY],@p);
-    $boundary = $boundary || '------- =_aaaaaaaaaa0';
+    if (!$boundary) {
+        $boundary = '------- =_';
+        my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+        for (1..17) {
+            $boundary .= $chrs[rand(scalar @chrs)];
+        }
+    }
+
     $self->{'separator'} = "$CRLF--$boundary$CRLF";
     $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
     $type = SERVER_PUSH($boundary);
@@ -1467,6 +1474,23 @@ sub header {
                             'EXPIRES','NPH','CHARSET',
                             'ATTACHMENT','P3P'],@p);
 
+    # CR escaping for values, per RFC 822
+    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+        if (defined $header) {
+            # From RFC 822:
+            # Unfolding  is  accomplished  by regarding   CRLF   immediately
+            # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+            $header =~ s/$CRLF(\s)/$1/g;
+
+            # All other uses of newlines are invalid input. 
+            if ($header =~ m/$CRLF|\015|\012/) {
+                # shorten very long values in the diagnostic
+                $header = substr($header,0,72).'...' if (length $header > 72);
+                die "Invalid header value contains a newline not followed by whitespace: $header";
+            }
+        } 
+   }
+
     $nph     ||= $NPH;
 
     $type ||= 'text/html' unless defined($type);
diff --git a/lib/CGI/t/headers.t b/lib/CGI/t/headers.t
new file mode 100755
index 0000000..661b74b
--- /dev/null
+++ b/lib/CGI/t/headers.t
@@ -0,0 +1,47 @@
+
+# Test that header generation is spec compliant.
+# References:
+#   http://www.w3.org/Protocols/rfc2616/rfc2616.html
+#   http://www.w3.org/Protocols/rfc822/3_Lexical.html
+
+use strict;
+use warnings;
+
+use Test::More 'no_plan';
+
+use CGI;
+
+my $cgi = CGI->new;
+
+like $cgi->header( -type => "text/html" ),
+    qr#Type: text/html#, 'known header, basic case: type => "text/html"';
+
+eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'invalid header blows up');
+
+like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+    qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
+eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+
+eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) };
+like($@,qr/contains a newline/, 'unknown header with leading newlines blows up');
+
+eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up');
+
+eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up');
+
+eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") };
+like($@,qr/contains a newline/,'redirect with leading newlines blows up');
+
+{
+    my $cgi = CGI->new('t=bogus%0A%0A<html>');
+    my $out;
+    eval { $out = $cgi->redirect( $cgi->param('t') ) };
+    like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
+}
+
+
diff --git a/lib/CGI/t/multipart_init.t b/lib/CGI/t/multipart_init.t
new file mode 100755
index 0000000..f0a05e0
--- /dev/null
+++ b/lib/CGI/t/multipart_init.t
@@ -0,0 +1,20 @@
+use Test::More 'no_plan';
+
+use CGI;
+
+my $q = CGI->new;
+
+my $sv = $q->multipart_init;
+like( $sv, qr|Content-Type: multipart/x-mixed-replace;boundary="------- =|, 'multipart_init(), basic');
+
+like( $sv, qr/$CGI::CRLF$/, 'multipart_init(), ends in CRLF' );
+
+$sv = $q->multipart_init( 'this_is_the_boundary' );
+like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init("simple_boundary")' );
+$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );
+like($sv,
+     qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')");
+
+$sv = $q->multipart_init;
+my $sv2 = $q->multipart_init;
+isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results");
-- 
tg: (daf8b46..) fixes/cgi-multiline-header (depends on: upstream)
Reply to: