Debian Bug report logs - #694279
libdancer-perl: CVE-2012-5572: Cookie name CRLF injection

version graph

Package: libdancer-perl; Maintainer for libdancer-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libdancer-perl is src:libdancer-perl.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 24 Nov 2012 23:51:02 UTC

Severity: important

Tags: fixed-upstream, security

Fixed in version libdancer-perl/1.3114+dfsg-1

Done: gregor herrmann <gregoa@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/PerlDancer/Dancer/issues/859

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#694279; Package libdancer-perl. (Sat, 24 Nov 2012 23:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 24 Nov 2012 23:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libdancer-perl: Cookie name CRLF injection
Date: Sun, 25 Nov 2012 00:49:25 +0100
Package: libdancer-perl
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi

Similar to #693421, CVE-2012-5526 it was reported[1] that
libdancer-perl's Dancer::Cookie also do not validate cookie name for
CRLF and other invalid symbols in headers. A patch however does not
seem to be present so far.

 [1]: https://github.com/sukria/Dancer/issues/859

Regards,
Salvatore

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQsV0BAAoJEHidbwV/2GP+L5gP/2B+f7DmIh7GZM7b/vJAVX1r
HKNqthkRkskiqILOOZpW/PyOA/f/sJfDICtXLmwU2Vg+wAeX6LbLTMpE09pkIyyJ
+5lfOffPT1fMxqcCI1miTuzDTrztBQrQtWVA0SU4XYw8qWTS8Eqg0lYoP7Y87n4I
Dbrg5HpVcgz7fgj0Cup0iD1Q0QOhrcSS3iSVN/T4T8MYSRfm8BJHr2ihPrq2N/Bk
qY+rsz49OuTgvZ9H7a53bFQLbaT9whnpEwtF2JvQLHicYWLl71iL4XwLFYIc/KzQ
shmlm2vHbUQV+vYaB6i0O9Pg1Ks5BnprOe0KT9cmxLREORZpRxdvi5+ivNFbcpTZ
l8xrF1Hr5RssLheh8rsX+EFx2Wfg3xCpAsDPtEK04//LEm6LtJbpE+QKxDq5Qn64
4zKPPAnBf7ebnbaPerj/PvhFdvAfjEs2I048OqAQJozlHDLtirC6MtynY0DP1O0N
4bYZfwGl5uu7WcnySMxizn4ydzE0FdR9OU+fMNUzsyT9STiCCPJQVqR3mNVixJI3
rCCRYWnSJVTwbiYz2BolS+NtVgtzqHYbk/hDvIbbzrVdJvhkQGToz5C8bdlplSrJ
9sNQrnYoMsqkRIT4VABqK/amBC2X+/B08NyH4p37ykQN1PNOtU0PU5QkgDLY2tVs
1k6Oa+K0b99BL0nOJfwW
=Fxk0
-----END PGP SIGNATURE-----



Changed Bug title to 'libdancer-perl: CVE-2012-5572: Cookie name CRLF injection' from 'libdancer-perl: Cookie name CRLF injection' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Mon, 26 Nov 2012 19:51:06 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'https://github.com/PerlDancer/Dancer/issues/859'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 12 Dec 2012 22:18:03 GMT) Full text and rfc822 format available.

Information stored :
Bug#694279; Package libdancer-perl. (Sat, 23 Feb 2013 13:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and filed, but not forwarded. (Sat, 23 Feb 2013 13:27:08 GMT) Full text and rfc822 format available.

Message #14 received at 694279-quiet@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: 694279-quiet@bugs.debian.org
Subject: Re: Bug#694279: libdancer-perl: Cookie name CRLF injection
Date: Sat, 23 Feb 2013 14:24:09 +0100
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://github.com/PerlDancer/Dancer/issues/859

On Sun, 25 Nov 2012 00:49:25 +0100, Salvatore Bonaccorso wrote:

> Package: libdancer-perl
> Severity: important
> Tags: security
> 
> Hi
> 
> Similar to #693421, CVE-2012-5526 it was reported[1]
… 
>  [1]: https://github.com/sukria/Dancer/issues/859

The github repo was reorganized, new URL:
https://github.com/PerlDancer/Dancer/issues/859

Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Ludwig Hirsch: St. Magdalena
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#694279; Package libdancer-perl. (Mon, 03 Jun 2013 14:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 03 Jun 2013 14:33:05 GMT) Full text and rfc822 format available.

Message #19 received at 694279@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 694279@bugs.debian.org
Subject: Re: Bug#694279: libdancer-perl: Cookie name CRLF injection
Date: Mon, 3 Jun 2013 17:28:53 +0300
tag 694279 fixed-upstream
thanks

On Sun, Nov 25, 2012 at 12:49:25AM +0100, Salvatore Bonaccorso wrote:
> Package: libdancer-perl
> Severity: important
> Tags: security

> Similar to #693421, CVE-2012-5526 it was reported[1] that
> libdancer-perl's Dancer::Cookie also do not validate cookie name for
> CRLF and other invalid symbols in headers. A patch however does not
> seem to be present so far.

This seems to have been fixed upstream recently.
 https://github.com/PerlDancer/Dancer/issues/859

The Fedora bug may also be helpful, see
 https://bugzilla.redhat.com/show_bug.cgi?id=880329

-- 
Niko Tyni   ntyni@debian.org



Added tag(s) fixed-upstream. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Mon, 03 Jun 2013 14:33:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#694279; Package libdancer-perl. (Tue, 04 Jun 2013 21:33:04 GMT) Full text and rfc822 format available.

Message #24 received at 694279@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 694279@bugs.debian.org, 694279-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libdancer-perl package
Date: Tue, 04 Jun 2013 21:30:11 +0000
tag 694279 + pending
thanks

Some bugs in the libdancer-perl package are closed in revision
cb3a59a28cfe0a2ea3765a6e256b0150d1dd0973 in branch 'master' by gregor
herrmann

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libdancer-perl.git;a=commitdiff;h=cb3a59a

Commit message:

    New upstream release. Fixes "CVE-2012-5572: Cookie name CRLF injection" (Closes: #694279)




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Tue, 04 Jun 2013 21:33:10 GMT) Full text and rfc822 format available.

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#694279. (Tue, 04 Jun 2013 21:33:13 GMT) Full text and rfc822 format available.

Reply sent to gregor herrmann <gregoa@debian.org>:
You have taken responsibility. (Tue, 04 Jun 2013 21:51:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 04 Jun 2013 21:51:05 GMT) Full text and rfc822 format available.

Message #34 received at 694279-close@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: 694279-close@bugs.debian.org
Subject: Bug#694279: fixed in libdancer-perl 1.3114+dfsg-1
Date: Tue, 04 Jun 2013 21:49:09 +0000
Source: libdancer-perl
Source-Version: 1.3114+dfsg-1

We believe that the bug you reported is fixed in the latest version of
libdancer-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694279@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libdancer-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 04 Jun 2013 23:26:56 +0200
Source: libdancer-perl
Binary: libdancer-perl
Architecture: source all
Version: 1.3114+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libdancer-perl - effortless web application framework
Closes: 694279
Changes: 
 libdancer-perl (1.3114+dfsg-1) unstable; urgency=low
 .
   [ Salvatore Bonaccorso ]
   * Change Vcs-Git to canonical URI (git://anonscm.debian.org)
   * Change search.cpan.org based URIs to metacpan.org based URIs
   * Add copyright stanza for debian/repack.stub file
 .
   [ gregor herrmann ]
   * Update debian/repack.stub.
   * New upstream release.
     Fixes "CVE-2012-5572: Cookie name CRLF injection"
     (Closes: #694279)
   * Add (build) dependency on libmodule-runtime-perl.
   * Update years of packaging copyright.
   * Add libclone-perl and libdancer-session-cookie-perl to B-D-I (tests)
     and add some optional packages to Suggests.
Checksums-Sha1: 
 e27bfec9ecb07454c880bfcb81a45b0ef0c622f8 2732 libdancer-perl_1.3114+dfsg-1.dsc
 fefdae4f7830b68db696e5b80bc2bb701ef1b7c8 285965 libdancer-perl_1.3114+dfsg.orig.tar.gz
 4f87f5ac01afb7e754c7d4fe6f52401b7d24c59f 10090 libdancer-perl_1.3114+dfsg-1.debian.tar.gz
 924d6b2d243706a15668f345c228c6940da82cba 428066 libdancer-perl_1.3114+dfsg-1_all.deb
Checksums-Sha256: 
 6c6b0526c796aafa229de2a3cc4a2846edf6e116abc3a6ce2941daaee952bf40 2732 libdancer-perl_1.3114+dfsg-1.dsc
 d7a2fa04a9d9a6dc9978eead594465b9ebf03f752c9483a493709da358f04695 285965 libdancer-perl_1.3114+dfsg.orig.tar.gz
 de79e0ba460bff9a56eec456927ee98c467120b76f62f2d25aafe18acb31aeaa 10090 libdancer-perl_1.3114+dfsg-1.debian.tar.gz
 b105249c9df0262264d258c5db751c38944f81c48cea2f43ddf1b2bcddbf47b9 428066 libdancer-perl_1.3114+dfsg-1_all.deb
Files: 
 9ca00c77ebea5cdbbf1b9c82eafee25e 2732 perl optional libdancer-perl_1.3114+dfsg-1.dsc
 da9e481633e5c1f7bf75468143a45fd1 285965 perl optional libdancer-perl_1.3114+dfsg.orig.tar.gz
 e3820bce854d62893c6b097dfef2c219 10090 perl optional libdancer-perl_1.3114+dfsg-1.debian.tar.gz
 79e37e006e70820dedbda2db07e695e0 428066 perl optional libdancer-perl_1.3114+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRrlwiAAoJELs6aAGGSaoGfXMP/1SA2dWW+A/PEDi+ldq79/Px
PLKcF4crAOvqvdUkRSc3PI+E9H71KnHDxuSXwiSxk+oDtdzAyDN/uS2DqjWcFk+N
Zl1RjNnWX510gFTir+wWLrhKMq3ZiYPusB+AN57NiXjUvO+pUg5Tda0VdXE7UVri
PlpEMb8MDCsDR7uR9OtAwy66hLZI1hGV3ABn3E6H6cKiJjOIPpsBWxKst/vJ0pFV
VydYYPghQR2oN74Ae1Ah5DYWBIZ1E+4nk8tWaV4/p8RCd4mtuU01AkkO2oHwDbCx
zcaIuVJBahtugv1gp6t7kC1pjXG/EoS05jJKCkADMK5r+3klJoZoZSWBUb1Z628I
2nlkmv0xGMKQTLW/scirg0SgJ+iyUiUcHOW9VAST24ZnS6o1Ff3mgO3wF97xR21S
8SCiuluAdceBfDBTF7OqE9R+Dp9xbqD/XQHm3+OR4Xb8M5MoRzQssnC24tsnoMLK
ljMkUM35Y+jtf5sUVbIcbxoEafiUeZD/RWfy8+T98X6enNZ/1uMizPtGoQfw3+B8
Kwtv/CT1OUS6eqDMtNFxJ4C8JG3MUoeeDf5pfKIvKgw3h0pE7f4eQrQaoVSy3DRP
0pdvhNr7cvYsf14I5g/P3RZKa0F1psLGPjxqcBrKPP+bypR/s5u47RiUMyQp1JTz
FbJZIsJ+4/k2HUTs7qvY
=DNaF
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 13 Jul 2013 07:32:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:55:22 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.