Hi Dominic, Niko, Security-Team and Release-Team On Sun, Nov 18, 2012 at 12:31:44PM +0000, Dominic Hargreaves wrote: > On Sun, Nov 18, 2012 at 12:08:21PM +0200, Niko Tyni wrote: > > Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm > > newline injection in Set-Cookie and P3P headers) affects all of squeeze, > > wheezy, and sid. > > > > The attached patch should apply to the wheezy and sid versions; squeeze > > may need some backporting at least for the testcases, and the perl package > > needs filename modifications due to the different directory structure. > > > > The sid and wheezy versions of libcgi-pm-perl have diverged, so > > I suppose this needs to go in wheezy via tpu. > > As both bugs are important rather than RC, neither a t-p-u upload > for libcgi-pm-perl nor an upload for perl including this would > qualify for migration to testing under the tightened up freeze policy[1], > so CCing debian-release for opinions from their side. I just have uploaded libcgi-pm-perl 3.61-2 with only the security patch. But I agree at this stage it's a no-option to unblock this (too big diff). I have attached both debdiff's proposed for Squeeze and for Wheezy. The debdiff for Squeeze might first be reviewed. Both I'm ready to push to the Debian Perl Group git repos. As Dominic correctly stated, with the current freeze policy only an update would be allowed if we can go trough unstable. Release-Team how should we proceed here? Regards, Salvatore
diff -u libcgi-pm-perl-3.49/debian/changelog libcgi-pm-perl-3.49/debian/changelog
--- libcgi-pm-perl-3.49/debian/changelog
+++ libcgi-pm-perl-3.49/debian/changelog
@@ -1,3 +1,13 @@
+libcgi-pm-perl (3.49-1squeeze2) stable; urgency=high
+
+ * Team upload.
+ * Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
+ [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF escaping in
+ Set-Cookie and P3P headers.
+ Thanks to Niko Tyni <ntyni@debian.org> (Closes: #693421)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 24 Nov 2012 07:47:58 +0100
+
libcgi-pm-perl (3.49-1squeeze1) testing-proposed-updates; urgency=high
* [SECURITY] Add a patch with the backported fixes for CVE-2010-2761,
diff -u libcgi-pm-perl-3.49/debian/patches/series libcgi-pm-perl-3.49/debian/patches/series
--- libcgi-pm-perl-3.49/debian/patches/series
+++ libcgi-pm-perl-3.49/debian/patches/series
@@ -3,0 +4 @@
+0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
only in patch2:
unchanged:
--- libcgi-pm-perl-3.49.orig/debian/gbp.conf
+++ libcgi-pm-perl-3.49/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = squeeze
only in patch2:
unchanged:
--- libcgi-pm-perl-3.49.orig/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
+++ libcgi-pm-perl-3.49/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
@@ -0,0 +1,67 @@
+From d5f9eaeea977edd24b3e6fdec7871ab254733ba4 Mon Sep 17 00:00:00 2001
+From: Ryo Anazawa <anazawa@cpan.org>
+Date: Wed, 14 Nov 2012 09:47:32 +0900
+Subject: [PATCH] CR escaping for P3P and Set-Cookie headers
+
+---
+ lib/CGI.pm | 24 ++++++++++++------------
+ t/headers.t | 6 ++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1549,8 +1549,17 @@
+ 'EXPIRES','NPH','CHARSET',
+ 'ATTACHMENT','P3P'],@p);
+
++ # Since $cookie and $p3p may be array references,
++ # we must stringify them before CR escaping is done.
++ my @cookie;
++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
++ push(@cookie,$cs) if defined $cs and $cs ne '';
++ }
++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
++
+ # CR escaping for values, per RFC 822
+- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
++ for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+ if (defined $header) {
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+@@ -1598,18 +1607,9 @@
+
+ push(@header,"Status: $status") if $status;
+ push(@header,"Window-Target: $target") if $target;
+- if ($p3p) {
+- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
+- }
++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
+ # push all the cookies -- there may be several
+- if ($cookie) {
+- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
+- for (@cookie) {
+- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+- push(@header,"Set-Cookie: $cs") if $cs ne '';
+- }
+- }
++ push(@header,map {"Set-Cookie: $_"} @cookie);
+ # if the user indicates an expiration time, then we need
+ # both an Expires and a Date header (so that the browser is
+ # uses OUR clock)
+--- a/t/headers.t
++++ b/t/headers.t
+@@ -22,6 +22,12 @@
+ like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
++
++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
++
+ eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+ like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/changelog libcgi-pm-perl-3.59+dfsg/debian/changelog
--- libcgi-pm-perl-3.59+dfsg/debian/changelog 2011-12-30 20:36:13.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/changelog 2012-11-24 08:14:34.000000000 +0100
@@ -1,3 +1,13 @@
+libcgi-pm-perl (3.59+dfsg-2) testing-proposed-updates; urgency=high
+
+ * Team upload.
+ * Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
+ [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF
+ escaping in Set-Cookie and P3P headers.
+ Thanks to Niko Tyni <ntyni@debian.org> (Closes: #693421)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 24 Nov 2012 07:39:11 +0100
+
libcgi-pm-perl (3.59+dfsg-1) unstable; urgency=low
* New upstream release
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/gbp.conf libcgi-pm-perl-3.59+dfsg/debian/gbp.conf
--- libcgi-pm-perl-3.59+dfsg/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/gbp.conf 2012-11-24 08:14:34.000000000 +0100
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = wheezy
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
--- libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch 2012-11-24 08:14:34.000000000 +0100
@@ -0,0 +1,67 @@
+From d5f9eaeea977edd24b3e6fdec7871ab254733ba4 Mon Sep 17 00:00:00 2001
+From: Ryo Anazawa <anazawa@cpan.org>
+Date: Wed, 14 Nov 2012 09:47:32 +0900
+Subject: [PATCH] CR escaping for P3P and Set-Cookie headers
+
+---
+ lib/CGI.pm | 24 ++++++++++++------------
+ t/headers.t | 6 ++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1501,8 +1501,17 @@
+ 'EXPIRES','NPH','CHARSET',
+ 'ATTACHMENT','P3P'],@p);
+
++ # Since $cookie and $p3p may be array references,
++ # we must stringify them before CR escaping is done.
++ my @cookie;
++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
++ push(@cookie,$cs) if defined $cs and $cs ne '';
++ }
++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
++
+ # CR escaping for values, per RFC 822
+- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
++ for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+ if (defined $header) {
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+@@ -1546,18 +1555,9 @@
+
+ push(@header,"Status: $status") if $status;
+ push(@header,"Window-Target: $target") if $target;
+- if ($p3p) {
+- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
+- }
++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
+ # push all the cookies -- there may be several
+- if ($cookie) {
+- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
+- for (@cookie) {
+- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+- push(@header,"Set-Cookie: $cs") if $cs ne '';
+- }
+- }
++ push(@header,map {"Set-Cookie: $_"} @cookie);
+ # if the user indicates an expiration time, then we need
+ # both an Expires and a Date header (so that the browser is
+ # uses OUR clock)
+--- a/t/headers.t
++++ b/t/headers.t
+@@ -22,6 +22,12 @@
+ like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
++
++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
++
+ eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+ like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/patches/series libcgi-pm-perl-3.59+dfsg/debian/patches/series
--- libcgi-pm-perl-3.59+dfsg/debian/patches/series 2011-12-30 20:36:13.000000000 +0100
+++ libcgi-pm-perl-3.59+dfsg/debian/patches/series 2012-11-24 08:14:34.000000000 +0100
@@ -1 +1,2 @@
man-cgi-fast.patch
+0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
Attachment:
signature.asc
Description: Digital signature