Re: Bug#629511: can report invalid data as valid in untaint mode

[gregor herrmann <gregoa@debian.org>]

On Wed, 14 Dec 2011 22:46:27 +0000, Jonathan Wiltshire wrote:

> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> squeeze (6.0.4) 	- use target "stable"

Thanks for the reminder!
 
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.

Attached.

(I hope switching to source format 3.0 is ok; it seems less invasive
than adding quilt stuff manually and less ugly than directly patching
the source.)


Cheers,
gregor

-- 
 .''`.   Homepage: http://info.comodo.priv.at/ - OpenPGP key ID: 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Andrew Lloyd Webber & Tim Rice

diff -Nru libdata-formvalidator-perl-4.66/debian/changelog libdata-formvalidator-perl-4.66/debian/changelog
--- libdata-formvalidator-perl-4.66/debian/changelog	2011-12-15 21:11:53.000000000 +0100
+++ libdata-formvalidator-perl-4.66/debian/changelog	2011-12-15 21:07:14.000000000 +0100
@@ -1,3 +1,16 @@
+libdata-formvalidator-perl (4.66-1+squeeze1) UNRELEASED; urgency=low
+
+  [ Damyan Ivanov ]
+  * add a patch fixing a possible passing of invalid data in untaint mode
+    Closes: #629511
+    This is CVE-2011-2201.
+
+  [ gregor herrmann ]
+  * Switch to "3.0 (quilt)" source format so that the patch actually gets
+    applied.
+
+ -- gregor herrmann <gregoa@debian.org>  Thu, 15 Dec 2011 20:55:49 +0100
+
 libdata-formvalidator-perl (4.66-1) unstable; urgency=low
 
   [ Jonathan Yu ]
diff -Nru libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch
--- libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch	1970-01-01 01:00:00.000000000 +0100
+++ libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch	2011-12-15 21:07:14.000000000 +0100
@@ -0,0 +1,20 @@
+Description: Fix a matching check leading to passing (and mangling) invalid data
+ $match would be '' when $val doesn't match $re and '' is still defined...
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=61792
+Bug-Debian: http://bugs.debian.org/629511
+Forwarded: yes
+Author: Damyan Ivanov <dmn@debian.org>
+Last-Update: 2011-06-07
+
+--- a/lib/Data/FormValidator/Results.pm
++++ b/lib/Data/FormValidator/Results.pm
+@@ -807,7 +807,7 @@ sub _create_sub_from_RE {
+             # With methods, the value is the second argument
+             my $val = $force_method_p ? $_[1] : $_[0];
+             my ($match) = scalar ($val =~ $re);
+-            if ($untaint_this && defined $match) {
++            if ($untaint_this && $match) {
+                 # pass the value through a RE that matches anything to untaint it.
+                 my ($untainted) = ($&  =~ m/(.*)/s);
+                 return $untainted;
diff -Nru libdata-formvalidator-perl-4.66/debian/patches/series libdata-formvalidator-perl-4.66/debian/patches/series
--- libdata-formvalidator-perl-4.66/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libdata-formvalidator-perl-4.66/debian/patches/series	2011-12-15 21:07:14.000000000 +0100
@@ -0,0 +1 @@
+fix-re-when-untainting.patch
diff -Nru libdata-formvalidator-perl-4.66/debian/source/format libdata-formvalidator-perl-4.66/debian/source/format
--- libdata-formvalidator-perl-4.66/debian/source/format	1970-01-01 01:00:00.000000000 +0100
+++ libdata-formvalidator-perl-4.66/debian/source/format	2011-12-15 21:07:14.000000000 +0100
@@ -0,0 +1 @@
+3.0 (quilt)

Attachment: signature.asc
Description: Digital signature