r66136 - in /trunk/libcgi-simple-perl/debian: changelog control patches/ patches/cve-2010-4410.patch patches/series source/ source/format
dmn at users.alioth.debian.org
dmn at users.alioth.debian.org
Wed Dec 22 20:47:33 UTC 2010
Author: dmn
Date: Wed Dec 22 20:47:10 2010
New Revision: 66136
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=66136
Log:
* add a patch for CVE-2010-4410
+ add libtest-exception-perl to dependencies
* use "3.0 (quilt)" source format
Added:
trunk/libcgi-simple-perl/debian/patches/
trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch
trunk/libcgi-simple-perl/debian/patches/series
trunk/libcgi-simple-perl/debian/source/
trunk/libcgi-simple-perl/debian/source/format
Modified:
trunk/libcgi-simple-perl/debian/changelog
trunk/libcgi-simple-perl/debian/control
Modified: trunk/libcgi-simple-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/changelog?rev=66136&op=diff
==============================================================================
--- trunk/libcgi-simple-perl/debian/changelog (original)
+++ trunk/libcgi-simple-perl/debian/changelog Wed Dec 22 20:47:10 2010
@@ -19,6 +19,11 @@
[ Ansgar Burchardt ]
* Update my email address.
+
+ [ Damyan Ivanov ]
+ * add a patch for CVE-2010-4410
+ + add libtest-exception-perl to dependencies
+ * use "3.0 (quilt)" source format
-- Ryan Niebur <ryan at debian.org> Fri, 25 Sep 2009 00:24:07 -0700
Modified: trunk/libcgi-simple-perl/debian/control
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/control?rev=66136&op=diff
==============================================================================
--- trunk/libcgi-simple-perl/debian/control (original)
+++ trunk/libcgi-simple-perl/debian/control Wed Dec 22 20:47:10 2010
@@ -3,7 +3,7 @@
Priority: optional
Build-Depends: debhelper (>= 7)
Build-Depends-Indep: perl (>= 5.8.0-7), libwww-perl, libtest-pod-perl,
- libtest-pod-coverage-perl
+ libtest-pod-coverage-perl, libtest-exception-perl
Maintainer: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
Uploaders: Jose Luis Rivas <ghostbar38 at gmail.com>,
gregor herrmann <gregoa at debian.org>,
Added: trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch?rev=66136&op=file
==============================================================================
--- trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch (added)
+++ trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch Wed Dec 22 20:47:10 2010
@@ -1,0 +1,57 @@
+Description: Fix CVS-2010-4410
+ Always check for CRLF in supplied header values and require that CRLF
+ is followed by a whitespace, in which case the CRLF is stripped.
+ Die if CRLF is followed by non-whitespace character.
+Bug-Debian: http://bugs.debian.org/606379
+Author: Damyan Ivanov <dmn at debian.org>
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=64160
+
+--- a/lib/CGI/Simple.pm
++++ b/lib/CGI/Simple.pm
+@@ -995,7 +995,12 @@ sub header {
+
+ # Don't use \s because of perl bug 21951
+ next
+- unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/;
++ unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s;
++
++ my $CRLF = $self->crlf;
++ $value =~ s/$CRLF(\s)/$1/sg;
++ $value =~ /$CRLF/ and die "Invalid header value -- CRLF not followed by whitespace";
++
+ ( $_ = $header )
+ =~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e;
+ }
+--- /dev/null
++++ b/t/120.header-crlf.t
+@@ -0,0 +1,20 @@
++use strict;
++use Test::More tests => 2;
++use Test::Exception;
++use CGI::Simple;
++
++my $cgi = CGI::Simple->new;
++
++my $CRLF = $cgi->crlf;
++
++is( $cgi->header( '-Test' => "test$CRLF part" ),
++ "Test: test part"
++ . $CRLF
++ . 'Content-Type: text/html; charset=ISO-8859-1'
++ . $CRLF
++ . $CRLF
++);
++
++throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
++qr/Invalid header value -- CRLF not followed by whitespace at /,
++ 'invalid CRLF caught';
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -11,6 +11,7 @@ WriteMakefile(
+ PL_FILES => {},
+ PREREQ_PM => {
+ 'Test::More' => 0,
++ 'Test::Exception' => 0,
+ 'IO::Scalar' => 0
+ },
+ dist => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', },
Added: trunk/libcgi-simple-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/patches/series?rev=66136&op=file
==============================================================================
--- trunk/libcgi-simple-perl/debian/patches/series (added)
+++ trunk/libcgi-simple-perl/debian/patches/series Wed Dec 22 20:47:10 2010
@@ -1,0 +1,2 @@
+cve-2010-4410.patch
+debian-changes-1.112-1
Added: trunk/libcgi-simple-perl/debian/source/format
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/source/format?rev=66136&op=file
==============================================================================
--- trunk/libcgi-simple-perl/debian/source/format (added)
+++ trunk/libcgi-simple-perl/debian/source/format Wed Dec 22 20:47:10 2010
@@ -1,0 +1,1 @@
+3.0 (quilt)
More information about the Pkg-perl-cvs-commits
mailing list