Bug#694519: tpu: libcgi-pm-perl/3.59+dfsg-1+deb7u1 (pre-approval)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 694519@bugs.debian.org
Subject: Bug#694519: tpu: libcgi-pm-perl/3.59+dfsg-1+deb7u1 (pre-approval)
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 11 Dec 2012 07:17:02 +0100
Message-id: <[🔎] 20121211061702.GA17906@elende>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 694519@bugs.debian.org
In-reply-to: <[🔎] 1355175437.25562.22.camel@jacala.jungle.funky-badger.org>
References: <20121118100821.GA4650@madeleine.local.invalid> <20121118123144.GU4116@urchin.earth.li> <20121124071636.GA14032@elende> <20121124072904.GA15067@elende> <85a9u72blh.fsf@boum.org> <20121127072706.GA32181@elende> <[🔎] 1355175437.25562.22.camel@jacala.jungle.funky-badger.org>

Hey Adam

Thanks for your time reviewing it!

On Mon, Dec 10, 2012 at 09:37:17PM +0000, Adam D. Barratt wrote:
> [trimmed CC list]
> 
> On Tue, 2012-11-27 at 08:27 +0100, Salvatore Bonaccorso wrote:
> > @ReleaseTeam: This is about #693421 "CVE-2012-5526 CGI.pm: Newline
> > injection due to improper CRLF escaping in Set-Cookie and P3P
> > headers".
> > 
> > We could wait for some more testing in unstable for the version there.
> > The patch for tpu would be the "same" (the package cannot go trough
> > unstable -> testing).
> 
> fwiw, I've been having a look at the diff, and filtering out meta-data,
> tests and documentation changes seems to give a reasonably sized diff:
>
> $ debdiff ftp/pool/main/libc/libcgi-pm-perl/libcgi-pm-perl_3.{59+dfsg-1,61-2}.dsc | filterdiff -x '*/t/*' -x '*/META.*' -x '*/repack.*' -x '*/Carp.pm' -x '*/debian/copyright' -x '*/Changes' -x '*/MANIFEST' -x '*/debian/changelog' -x '*/debian/watch'| diffstat
>  /tmp/llc5QdkBjB/libcgi-pm-perl-3.61/examples/dna.small.gif                               |binary
>  /tmp/llc5QdkBjB/libcgi-pm-perl-3.61/examples/wilogo.gif                                  |binary
>  libcgi-pm-perl-3.61/Makefile.PL                                                          |    1 
>  libcgi-pm-perl-3.61/debian/control                                                       |    4 
>  libcgi-pm-perl-3.61/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch |   67 ++++++++++
>  libcgi-pm-perl-3.61/debian/patches/series                                                |    1 
>  libcgi-pm-perl-3.61/lib/CGI.pm                                                           |   22 +--
>  libcgi-pm-perl-3.61/lib/CGI/Cookie.pm                                                    |    2 
>  8 files changed, 85 insertions(+), 12 deletions(-)
> 
> The vast majority of that is the security update which is the subject of
> this report.

I meant the above "We could wait for some more testing in unstable for
the version there" as "we could wait some more days for the version in
unstable to get testing, so that we can se if there are any
regressions" (and then go for the t-p-u upload) :-).

*But* if you agree on unblocking the version in unstable this is fine
:-). I updated indeed in unstable 3.61 to 3.61-2 with the patch,
instead of updating to 3.63 (new upstream release having the fix).

The proposed debdiff for t-p-u only is attached to my first
message.

Regards,
Salvatore

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug#694519: tpu: libcgi-pm-perl/3.59+dfsg-1+deb7u1 (pre-approval)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#695642: pu: package magpierss/0.72-8+squeeze2
Next by Date: Bug#695649: unblock: xapian-core/1.2.12-2
Previous by thread: Bug#694519: tpu: libcgi-pm-perl/3.59+dfsg-1+deb7u1 (pre-approval)
Next by thread: Bug#694470: marked as done (unblock (pre-approval): poppler/0.18.4-4)
Index(es):
- Date
- Thread