Hi short addition to the mail before which I missed: For a possible t-p-u upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff. Regards, Salvatore
diff -Nru libcgi-pm-perl-3.59+dfsg/debian/changelog libcgi-pm-perl-3.59+dfsg/debian/changelog --- libcgi-pm-perl-3.59+dfsg/debian/changelog 2011-12-30 20:36:13.000000000 +0100 +++ libcgi-pm-perl-3.59+dfsg/debian/changelog 2012-11-24 08:27:32.000000000 +0100 @@ -1,3 +1,13 @@ +libcgi-pm-perl (3.59+dfsg-1+deb7u1) testing-proposed-updates; urgency=high + + * Team upload. + * Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch + [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF + escaping in Set-Cookie and P3P headers. + Thanks to Niko Tyni <ntyni@debian.org> (Closes: #693421) + + -- Salvatore Bonaccorso <carnil@debian.org> Sat, 24 Nov 2012 07:39:11 +0100 + libcgi-pm-perl (3.59+dfsg-1) unstable; urgency=low * New upstream release diff -Nru libcgi-pm-perl-3.59+dfsg/debian/gbp.conf libcgi-pm-perl-3.59+dfsg/debian/gbp.conf --- libcgi-pm-perl-3.59+dfsg/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ libcgi-pm-perl-3.59+dfsg/debian/gbp.conf 2012-11-24 08:27:32.000000000 +0100 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = wheezy diff -Nru libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch --- libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcgi-pm-perl-3.59+dfsg/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch 2012-11-24 08:27:32.000000000 +0100 @@ -0,0 +1,67 @@ +From d5f9eaeea977edd24b3e6fdec7871ab254733ba4 Mon Sep 17 00:00:00 2001 +From: Ryo Anazawa <anazawa@cpan.org> +Date: Wed, 14 Nov 2012 09:47:32 +0900 +Subject: [PATCH] CR escaping for P3P and Set-Cookie headers + +--- + lib/CGI.pm | 24 ++++++++++++------------ + t/headers.t | 6 ++++++ + 2 files changed, 18 insertions(+), 12 deletions(-) + +--- a/lib/CGI.pm ++++ b/lib/CGI.pm +@@ -1501,8 +1501,17 @@ + 'EXPIRES','NPH','CHARSET', + 'ATTACHMENT','P3P'],@p); + ++ # Since $cookie and $p3p may be array references, ++ # we must stringify them before CR escaping is done. ++ my @cookie; ++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) { ++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; ++ push(@cookie,$cs) if defined $cs and $cs ne ''; ++ } ++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; ++ + # CR escaping for values, per RFC 822 +- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { ++ for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { + if (defined $header) { + # From RFC 822: + # Unfolding is accomplished by regarding CRLF immediately +@@ -1546,18 +1555,9 @@ + + push(@header,"Status: $status") if $status; + push(@header,"Window-Target: $target") if $target; +- if ($p3p) { +- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; +- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p")); +- } ++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p; + # push all the cookies -- there may be several +- if ($cookie) { +- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie; +- for (@cookie) { +- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; +- push(@header,"Set-Cookie: $cs") if $cs ne ''; +- } +- } ++ push(@header,map {"Set-Cookie: $_"} @cookie); + # if the user indicates an expiration time, then we need + # both an Expires and a Date header (so that the browser is + # uses OUR clock) +--- a/t/headers.t ++++ b/t/headers.t +@@ -22,6 +22,12 @@ + like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ), + qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line'; + ++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up'); ++ ++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up'); ++ + eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; + like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up'); + diff -Nru libcgi-pm-perl-3.59+dfsg/debian/patches/series libcgi-pm-perl-3.59+dfsg/debian/patches/series --- libcgi-pm-perl-3.59+dfsg/debian/patches/series 2011-12-30 20:36:13.000000000 +0100 +++ libcgi-pm-perl-3.59+dfsg/debian/patches/series 2012-11-24 08:27:32.000000000 +0100 @@ -1 +1,2 @@ man-cgi-fast.patch +0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
Attachment:
signature.asc
Description: Digital signature