Debian Bug report logs - #693421
CVE-2012-5526 CGI.pm: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers

version graph

Package: libcgi-pm-perl; Maintainer for libcgi-pm-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libcgi-pm-perl is src:libcgi-pm-perl.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 16 Nov 2012 10:00:01 UTC

Severity: important

Tags: fixed-upstream, patch, security

Found in versions libcgi-pm-perl/3.59+dfsg-1, libcgi-pm-perl/3.61-1, libcgi-pm-perl/3.49-1squeeze1

Fixed in versions libcgi-pm-perl/3.61-2, libcgi-pm-perl/3.49-1squeeze2

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Fri, 16 Nov 2012 10:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 16 Nov 2012 10:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libcgi-pm-perl: CVE-2012-5526 perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers
Date: Fri, 16 Nov 2012 10:56:41 +0100
Package: libcgi-pm-perl
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,
the following vulnerability was published for libcgi-pm-perl:

CVE-2012-5526[0]:
libcgi-pm-perl: newline injection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526
    http://security-tracker.debian.org/tracker/CVE-2012-5526
[1] http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
[2] https://github.com/markstos/CGI.pm/pull/23
[3] https://bugzilla.redhat.com/show_bug.cgi?id=877015

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQpg3VAAoJEHidbwV/2GP+4V0QAPbaekVqPqEhQzN/+wc2iM6y
RGWitMIMIbc1nMDj4e0Hb1PG0jFpp+qxTYzld3S5D7rfwTa5NkQ3JV5HuwpdRgJ8
nW74Gx4BjXzyiB2xppJP3JpVK7Yk3PEAc4G+DFMaa9s3oJ5xPOEN2iShQieHQgAK
4kwLBnWuNh57kwqC0RlLkWJn2BR0YLm6qXO1ubDAMD+Yy1nec/v55A1P1YqaajYX
YrQA4qMYqlTN/ge3pLkv27fCjK/FtUStnXDMv8sk/KuU1I5wk96zNjU2OdYhTlyO
o05yr5jYeKgopRiR37m3uBSjsXrXY4tqY2Ml4zQUNipb71LlzexX9iCiJnpZZ94u
NKaOFYcfCLbgB/NU5cX9u1aiVSVMcX4JCwNI2VGyKlNdTwhMieL50NjhXNENNBuA
5NlyDe0KvLOhnbJSldL65FC2eEG/obOX1VI4sNYtbDItsk3qeeBB8ykR+L5XUjRB
4G7wJdaJdzh4D+MQxT5bNY+bnMBvkNtJ32IS/ydr9bVlkIbsOPl/joFbw/o0nxN0
1P5ns9SbVxwne6l8zv2pa4DUcajv6P+hi71nj+1ZOMwxkQwKABgDuAPiYM+g3VdD
bkd76KqEzzyCrN7bCdiM9tESiVFRJKRbQVqRauuhZWCJgWZhiE5o42U1tmwNnYpr
3MDOQp2tAfwJJu9D7GQW
=UTrJ
-----END PGP SIGNATURE-----



Changed Bug title to 'CVE-2012-5526 CGI.pm: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers' from 'libcgi-pm-perl: CVE-2012-5526 perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 16 Nov 2012 11:48:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Sun, 18 Nov 2012 10:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sun, 18 Nov 2012 10:12:05 GMT) Full text and rfc822 format available.

Message #12 received at 693421@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 693420@bugs.debian.org, 693421@bugs.debian.org
Cc: team@security.debian.org
Subject: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
Date: Sun, 18 Nov 2012 12:08:21 +0200
[Message part 1 (text/plain, inline)]
found 693420 5.10.1-17squeeze3
found 693420 5.14.2-15
found 693421 3.49-1squeeze1
found 693421 3.59+dfsg-1
found 693421 3.61-1
tag 693421 patch fixed-upstream
thanks

Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
newline injection in Set-Cookie and P3P headers) affects all of squeeze,
wheezy, and sid.

The attached patch should apply to the wheezy and sid versions; squeeze
may need some backporting at least for the testcases, and the perl package
needs filename modifications due to the different directory structure.

The sid and wheezy versions of libcgi-pm-perl have diverged, so
I suppose this needs to go in wheezy via tpu.

The perl status in wheezy/sid is waiting for #692294; we'll see
if this needs a separate upload.

Security team: do you want DSAs for stable or should this rather be
fixed via SRM/proposed-updates?
-- 
Niko Tyni   ntyni@debian.org
[0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch (text/x-diff, attachment)]

Marked as found in versions libcgi-pm-perl/3.49-1squeeze1. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sun, 18 Nov 2012 10:12:08 GMT) Full text and rfc822 format available.

Marked as found in versions libcgi-pm-perl/3.59+dfsg-1. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sun, 18 Nov 2012 10:12:08 GMT) Full text and rfc822 format available.

Marked as found in versions libcgi-pm-perl/3.61-1. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sun, 18 Nov 2012 10:12:09 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream and patch. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sun, 18 Nov 2012 10:12:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Sun, 18 Nov 2012 12:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sun, 18 Nov 2012 12:33:05 GMT) Full text and rfc822 format available.

Message #25 received at 693421@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org
Cc: 693421@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
Date: Sun, 18 Nov 2012 12:31:44 +0000
On Sun, Nov 18, 2012 at 12:08:21PM +0200, Niko Tyni wrote:
> Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
> newline injection in Set-Cookie and P3P headers) affects all of squeeze,
> wheezy, and sid.
> 
> The attached patch should apply to the wheezy and sid versions; squeeze
> may need some backporting at least for the testcases, and the perl package
> needs filename modifications due to the different directory structure.
> 
> The sid and wheezy versions of libcgi-pm-perl have diverged, so
> I suppose this needs to go in wheezy via tpu.

As both bugs are important rather than RC, neither a t-p-u upload
for libcgi-pm-perl nor an upload for perl including this would
qualify for migration to testing under the tightened up freeze policy[1],
so CCing debian-release for opinions from their side.

Cheers,
Dominic.

[1] <http://release.debian.org/wheezy/freeze_policy.html>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Sat, 24 Nov 2012 07:06:03 GMT) Full text and rfc822 format available.

Message #28 received at 693421@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 693421@bugs.debian.org, 693421-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libcgi-pm-perl package
Date: Sat, 24 Nov 2012 07:04:39 +0000
tag 693421 + pending
thanks

Some bugs in the libcgi-pm-perl package are closed in revision
a707e6ff01953484c08917749d796b6bc3568939 in branch 'master' by
Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libcgi-pm-perl.git;a=commitdiff;h=a707e6f

Commit message:

    Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
    
    [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF
    escaping in Set-Cookie and P3P headers.
    
    Thanks: Niko Tyni <ntyni@debian.org>
    Closes: #693421




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Sat, 24 Nov 2012 07:06:08 GMT) Full text and rfc822 format available.

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#693421. (Sat, 24 Nov 2012 07:06:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Sat, 24 Nov 2012 07:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 24 Nov 2012 07:21:05 GMT) Full text and rfc822 format available.

Message #38 received at 693421@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 693421@bugs.debian.org
Cc: Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
Date: Sat, 24 Nov 2012 08:16:36 +0100
[Message part 1 (text/plain, inline)]
Hi Dominic, Niko, Security-Team and Release-Team

On Sun, Nov 18, 2012 at 12:31:44PM +0000, Dominic Hargreaves wrote:
> On Sun, Nov 18, 2012 at 12:08:21PM +0200, Niko Tyni wrote:
> > Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
> > newline injection in Set-Cookie and P3P headers) affects all of squeeze,
> > wheezy, and sid.
> > 
> > The attached patch should apply to the wheezy and sid versions; squeeze
> > may need some backporting at least for the testcases, and the perl package
> > needs filename modifications due to the different directory structure.
> > 
> > The sid and wheezy versions of libcgi-pm-perl have diverged, so
> > I suppose this needs to go in wheezy via tpu.
> 
> As both bugs are important rather than RC, neither a t-p-u upload
> for libcgi-pm-perl nor an upload for perl including this would
> qualify for migration to testing under the tightened up freeze policy[1],
> so CCing debian-release for opinions from their side.

I just have uploaded libcgi-pm-perl 3.61-2 with only the security
patch. But I agree at this stage it's a no-option to unblock this (too
big diff).

I have attached both debdiff's proposed for Squeeze and for Wheezy.
The debdiff for Squeeze might first be reviewed. Both I'm ready to
push to the Debian Perl Group git repos.

As Dominic correctly stated, with the current freeze policy only an
update would be allowed if we can go trough unstable. Release-Team how
should we proceed here?

Regards,
Salvatore
[libcgi-pm-perl_3.49-1squeeze2.debdiff (text/plain, attachment)]
[libcgi-pm-perl_3.59+dfsg-2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 24 Nov 2012 07:21:12 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 24 Nov 2012 07:21:13 GMT) Full text and rfc822 format available.

Message #43 received at 693421-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 693421-close@bugs.debian.org
Subject: Bug#693421: fixed in libcgi-pm-perl 3.61-2
Date: Sat, 24 Nov 2012 07:17:39 +0000
Source: libcgi-pm-perl
Source-Version: 3.61-2

We believe that the bug you reported is fixed in the latest version of
libcgi-pm-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693421@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libcgi-pm-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Nov 2012 07:54:36 +0100
Source: libcgi-pm-perl
Binary: libcgi-pm-perl
Architecture: source all
Version: 3.61-2
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libcgi-pm-perl - module for Common Gateway Interface applications
Closes: 693421
Changes: 
 libcgi-pm-perl (3.61-2) unstable; urgency=low
 .
   * Team upload.
   * Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
     [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF
     escaping in Set-Cookie and P3P headers.
     Thanks to Niko Tyni <ntyni@debian.org> (Closes: #693421)
Checksums-Sha1: 
 ba2d7629f533bd333b88b9badd56f9dfe32e9d98 2295 libcgi-pm-perl_3.61-2.dsc
 19c6cd2c11471cb4d2a4ff1bb32168ddbb41eaae 9572 libcgi-pm-perl_3.61-2.debian.tar.gz
 6c79c9ab3ef940e9ce2ed19590693b75766c76b4 235740 libcgi-pm-perl_3.61-2_all.deb
Checksums-Sha256: 
 9fa29ca6fe929adea606d765042c34623d4c58ab47a8ed992fec0f1de96aee39 2295 libcgi-pm-perl_3.61-2.dsc
 f638a5915b855fb64e8c057521d233e3529756d834d3ed68108a336615c50b47 9572 libcgi-pm-perl_3.61-2.debian.tar.gz
 59f2cd784cedebb663244acc8a2722121aec2490b5b3c610fd3e213f023dd59d 235740 libcgi-pm-perl_3.61-2_all.deb
Files: 
 7ed6aa91c473b758c24af3b5a6413c14 2295 perl optional libcgi-pm-perl_3.61-2.dsc
 bc04f77945556f68f5809476e6d30ebd 9572 perl optional libcgi-pm-perl_3.61-2.debian.tar.gz
 51bc94b1dbc58a691436ce081dc67e64 235740 perl optional libcgi-pm-perl_3.61-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQsHEFAAoJEHidbwV/2GP+3FoQAOwtNVg335qZ46OLhDiCiiYb
AB6cuB8cHJKoi63G7CBrg5g6gxOX0d4ufWzNFlOE//Y93SppjXXVBq94J6NOcLhf
FPrarGOYMI9zVB6sGSwSsmofslEqbITyDQ9CLO/YErh21yZAqmXjq83JVmD/DysV
26FWcSuy6B2fO9xDvkwI82TeSA2Hk7Z4tmfEdH4cPKDFVHkrLT3GQUdkOOzG1jPX
N6SUlbxCdHAcmDfTDfmuEHFxCIv4WLKgcfEFcxRa8TUZQR5Ystg8Pmz5B5EQ20Qn
Impd6YWEcdsjbqBtggLnd1sU78/V+nrcbJ4sXcRW3qwlL6mKf3XouY0puXwuDEwd
FPHsvjWKTohlsUbSv7XlvD5LkNZnq3bSXEYO/2Mt5c1DUKFeEDm/Aw9O5Ye/U1Ty
Rx1OHW9QtIEcNP5Xp/Qa93xjABha9aL+QAa2dM8mZfBa97I8jySd0F7Qg9YNCQbG
rg5U+QEcl3i7a4h4pWSZ4E/E1K4d20cxA8JnDRuQt6pQfdyJIrt6FIDNdLfZuUnq
Q/j1pF6x1ukTSrw888GullfZ358fXWbXXZRnfK7q6cn00n5gJpWKwDn3wSlvt9mr
e0S502sNVzYLJt8sJSdmzQlEhVKfcAZdA3EkSwnPofbenMv5Lh1K7WZbJ7uHxhds
tKIfZcRwIUAcw4g0gFS3
=ONUO
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Sat, 24 Nov 2012 07:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 24 Nov 2012 07:33:05 GMT) Full text and rfc822 format available.

Message #48 received at 693421@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 693421@bugs.debian.org, Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
Date: Sat, 24 Nov 2012 08:29:04 +0100
[Message part 1 (text/plain, inline)]
Hi

short addition to the mail before which I missed: For a possible t-p-u
upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.

Regards,
Salvatore
[libcgi-pm-perl_3.59+dfsg-1+deb7u1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Sat, 24 Nov 2012 18:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 24 Nov 2012 18:39:05 GMT) Full text and rfc822 format available.

Message #53 received at 693421@bugs.debian.org (full text, mbox):

From: intrigeri <intrigeri@debian.org>
To: debian-release@lists.debian.org
Cc: 693421@bugs.debian.org, Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, Dominic Hargreaves <dom@earth.li>
Subject: Re: Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
Date: Sat, 24 Nov 2012 17:46:02 +0100
Hi,

Salvatore Bonaccorso wrote (24 Nov 2012 07:29:04 GMT) :
> short addition to the mail before which I missed: For a possible t-p-u
> upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.

TL;DR --> I recommend to accept this unblock request for t-p-u.

I have verified that I could reproduce the security issue on current
Wheezy, that I could not reproduce it after applying this patch, and
that the code still behaves well in the "good" situation (that is when
$CRLF is followed by space) after applying this patch.

The patch looks sane, and I trust Salvatore has correctly
cherry-picked it from upstream.

(BTW, in case someone wants to reproduce these results, one has to
insert a "\r" in the example test case found on the initial report [1]
for this security issue, else one cannot possibly check that the
patched code still behaves well in the "good" situation; resulting
testing code is:

  $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\nbar\r\nbaz", ],    -p3p    => [ "foo\r\nbar\r\nbaz", ],);'

and:

  $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\n bar\r\n baz", ],    -p3p    => [ "foo\r\n bar\r\n baz", ],);'
)



[1] https://github.com/markstos/CGI.pm/pull/23

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Tue, 27 Nov 2012 07:30:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 27 Nov 2012 07:30:11 GMT) Full text and rfc822 format available.

Message #58 received at 693421@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: intrigeri <intrigeri@debian.org>, submit@bugs.debian.org
Cc: debian-release@lists.debian.org, 693421@bugs.debian.org, Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, Dominic Hargreaves <dom@earth.li>
Subject: tpu: libcgi-pm-perl/3.59+dfsg-1+deb7u1 (pre-approval)
Date: Tue, 27 Nov 2012 08:27:06 +0100
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: tpu

Hi

On Sat, Nov 24, 2012 at 05:46:02PM +0100, intrigeri wrote:
> Hi,
> 
> Salvatore Bonaccorso wrote (24 Nov 2012 07:29:04 GMT) :
> > short addition to the mail before which I missed: For a possible t-p-u
> > upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.
> 
> TL;DR --> I recommend to accept this unblock request for t-p-u.
> 
> I have verified that I could reproduce the security issue on current
> Wheezy, that I could not reproduce it after applying this patch, and
> that the code still behaves well in the "good" situation (that is when
> $CRLF is followed by space) after applying this patch.
> 
> The patch looks sane, and I trust Salvatore has correctly
> cherry-picked it from upstream.
> 
> (BTW, in case someone wants to reproduce these results, one has to
> insert a "\r" in the example test case found on the initial report [1]
> for this security issue, else one cannot possibly check that the
> patched code still behaves well in the "good" situation; resulting
> testing code is:
> 
>   $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\nbar\r\nbaz", ],    -p3p    => [ "foo\r\nbar\r\nbaz", ],);'
> 
> and:
> 
>   $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\n bar\r\n baz", ],    -p3p    => [ "foo\r\n bar\r\n baz", ],);'
> )

Thanks for your review. To have this better tracked for the t-p-u part
I'm opening with this a bug against release.d.o.

@ReleaseTeam: This is about #693421 "CVE-2012-5526 CGI.pm: Newline
injection due to improper CRLF escaping in Set-Cookie and P3P
headers".

We could wait for some more testing in unstable for the version there.
The patch for tpu would be the "same" (the package cannot go trough
unstable -> testing).

Salvatore
[libcgi-pm-perl_3.59+dfsg-1+deb7u1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Fri, 30 Nov 2012 14:51:03 GMT) Full text and rfc822 format available.

Message #61 received at 693421@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 693421@bugs.debian.org, 693421-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libcgi-pm-perl package
Date: Fri, 30 Nov 2012 14:47:36 +0000
tag 693421 + pending
thanks

Some bugs in the libcgi-pm-perl package are closed in revision
88db72f60b76e40c23c23bdcace2cc829361755e in branch '  wheezy' by
Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libcgi-pm-perl.git;a=commitdiff;h=88db72f

Commit message:

    Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
    
    [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF
    escaping in Set-Cookie and P3P headers.
    
    Thanks: Niko Tyni <ntyni@debian.org>
    Closes: #693421




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#693421; Package libcgi-pm-perl. (Fri, 30 Nov 2012 14:51:05 GMT) Full text and rfc822 format available.

Message #64 received at 693421@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 693421@bugs.debian.org, 693421-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libcgi-pm-perl package
Date: Fri, 30 Nov 2012 14:49:52 +0000
tag 693421 + pending
thanks

Some bugs in the libcgi-pm-perl package are closed in revision
3cffa948a6509822fdcf6c8c469f712a61389c4c in branch '  squeeze' by
Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libcgi-pm-perl.git;a=commitdiff;h=3cffa94

Commit message:

    Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
    
    [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF escaping in
    Set-Cookie and P3P headers.
    
    Thanks: Niko Tyni <ntyni@debian.org>
    Closes: #693421




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Fri, 30 Nov 2012 14:51:07 GMT) Full text and rfc822 format available.

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#693421. (Fri, 30 Nov 2012 14:51:31 GMT) Full text and rfc822 format available.

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#693421. (Fri, 30 Nov 2012 14:51:32 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 13 Dec 2012 23:51:10 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 13 Dec 2012 23:51:11 GMT) Full text and rfc822 format available.

Message #77 received at 693421-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 693421-close@bugs.debian.org
Subject: Bug#693421: fixed in libcgi-pm-perl 3.49-1squeeze2
Date: Thu, 13 Dec 2012 23:47:22 +0000
Source: libcgi-pm-perl
Source-Version: 3.49-1squeeze2

We believe that the bug you reported is fixed in the latest version of
libcgi-pm-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693421@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libcgi-pm-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Nov 2012 07:47:58 +0100
Source: libcgi-pm-perl
Binary: libcgi-pm-perl
Architecture: source all
Version: 3.49-1squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libcgi-pm-perl - module for Common Gateway Interface applications
Closes: 693421
Changes: 
 libcgi-pm-perl (3.49-1squeeze2) stable-security; urgency=high
 .
   * Team upload.
   * Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
     [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF escaping in
     Set-Cookie and P3P headers.
     Thanks to Niko Tyni <ntyni@debian.org> (Closes: #693421)
Checksums-Sha1: 
 601ccaa620ef4b4935220c9245ff2f5c91fc87bb 2124 libcgi-pm-perl_3.49-1squeeze2.dsc
 4f4e9a7725ae8d937efdbd6052fa7a8672560e35 241762 libcgi-pm-perl_3.49.orig.tar.gz
 b80c20415c98648fae79bd6eb0f8238afdea2ca1 6364 libcgi-pm-perl_3.49-1squeeze2.diff.gz
 d8edb5b796f0390c6c1668db8cee6ff5c3c923bc 224816 libcgi-pm-perl_3.49-1squeeze2_all.deb
Checksums-Sha256: 
 c59f07b46bfe578f46fa123a753314c4dc328e19483d3e5e7a9a879e520b33e8 2124 libcgi-pm-perl_3.49-1squeeze2.dsc
 4a136457d0387f96b8f084c5e4c2d92e87df0cfde9fe57d504569f9a39837fca 241762 libcgi-pm-perl_3.49.orig.tar.gz
 2f5de968ad533c2fdb72b8875eefd4e70b06ca4fe6f802073f707c4be33e74d2 6364 libcgi-pm-perl_3.49-1squeeze2.diff.gz
 95a81e761e71f1a4cd61c83cc24cbf9b3f19770708bd4111ced8e62f1b7eac03 224816 libcgi-pm-perl_3.49-1squeeze2_all.deb
Files: 
 59fc50f9daeff75b94e78211db89b22f 2124 perl optional libcgi-pm-perl_3.49-1squeeze2.dsc
 c485cedf1033de838598b21db439600c 241762 perl optional libcgi-pm-perl_3.49.orig.tar.gz
 adb5d1f446c95a3970e6d220fb338cff 6364 perl optional libcgi-pm-perl_3.49-1squeeze2.diff.gz
 661e814cb7e0a1a3eea28d128626b102 224816 perl optional libcgi-pm-perl_3.49-1squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQx5IvAAoJEHidbwV/2GP+LDoQAPBeCOgWS1wTUwU36HLaJMDR
WMV2jiWKqofqObSdapCPF9KZV3th/ADnX8yg1QniyIcNlKFtcCpqsS61DOCTMU0f
zom9FanJAz+8sTs8JWa6RHQRKAKdECGbO67wh60yNfK4watVmfG28iYHoTcnOQih
tZmITD3UhVyQpDbC6+Jo1ltYxE+gIgzY+b/fZ5P0sdnF7TL0nZCErHnUB4qi0nF0
faoqT5iVacPrQjGrYnzcNkX7ugWsdwDlHn1XoyQxCQ5EqwqxP9kHOJyEh+DupNU7
TnsG8gI5y6PT3dFgohRrjNTIj5Rv8Efo1Sv1r5rbm+07vee/sSjHgEZw+nLeDEAn
IpY3or4HHg9z8Ma4DVHxF9E8mOKAObefl/P5n5KZRa5rTLsFPCwRnOJCKi1y+GTo
fKeOk/EybxISmvYj+whZ0sLbfLtuLxoeyWXIIPJkpvlivcsXqQ1CC2+w6kckVfpO
Q6k+tM0dNXZg7cmpPfhRTakFxMQvpgSWcVkJz91p8ZxLsbu7KPwKrb2/9fmHoRK4
QgjvuWBYo8gybT8e8fWmcR+ZI/rTUnMlC5WerpaV9OsUscjpitmXuULX7LjNsgdB
8nbciWX1vCnGMP1lxumwINktNUJ6J52zlDJ2CUh5CeT+fyhvjqHrIrHHlMHU0qtT
S5sb/Tl21FNfKJp5frhy
=NTs+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 11 Jan 2013 07:26:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:38:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.