On Fri, 16 Dec 2011 19:42:29 +0100, Julien Cristau wrote: > > (I hope switching to source format 3.0 is ok; it seems less invasive > > than adding quilt stuff manually and less ugly than directly patching > > the source.) > No it's not. The way to go is to just fix the bug, not introduce random > packaging changes at the same time. Here's an updated debdiff that patches the file directly. Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key ID: 0x8649AA06 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe `- NP: Rolling Stones: Dancing
diff -u libdata-formvalidator-perl-4.66/debian/changelog libdata-formvalidator-perl-4.66/debian/changelog
--- libdata-formvalidator-perl-4.66/debian/changelog
+++ libdata-formvalidator-perl-4.66/debian/changelog
@@ -1,3 +1,12 @@
+libdata-formvalidator-perl (4.66-1+squeeze1) UNRELEASED; urgency=low
+
+ [ Damyan Ivanov ]
+ * apply a patch fixing a possible passing of invalid data in untaint mode
+ Closes: #629511
+ This is CVE-2011-2201.
+
+ -- gregor herrmann <gregoa@debian.org> Fri, 16 Dec 2011 20:33:45 +0100
+
libdata-formvalidator-perl (4.66-1) unstable; urgency=low
[ Jonathan Yu ]
only in patch2:
unchanged:
--- libdata-formvalidator-perl-4.66.orig/lib/Data/FormValidator/Results.pm
+++ libdata-formvalidator-perl-4.66/lib/Data/FormValidator/Results.pm
@@ -807,7 +807,7 @@
# With methods, the value is the second argument
my $val = $force_method_p ? $_[1] : $_[0];
my ($match) = scalar ($val =~ $re);
- if ($untaint_this && defined $match) {
+ if ($untaint_this && $match) {
# pass the value through a RE that matches anything to untaint it.
my ($untainted) = ($& =~ m/(.*)/s);
return $untainted;
Attachment:
signature.asc
Description: Digital signature