r66136 - in /trunk/libcgi-simple-perl/debian: changelog control patches/ patches/cve-2010-4410.patch patches/series source/ source/format

dmn at users.alioth.debian.org dmn at users.alioth.debian.org
Wed Dec 22 20:47:33 UTC 2010 

Author: dmn
Date: Wed Dec 22 20:47:10 2010
New Revision: 66136

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=66136
Log:
* add a patch for CVE-2010-4410
  + add libtest-exception-perl to dependencies
* use "3.0 (quilt)" source format

Added:
    trunk/libcgi-simple-perl/debian/patches/
    trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch
    trunk/libcgi-simple-perl/debian/patches/series
    trunk/libcgi-simple-perl/debian/source/
    trunk/libcgi-simple-perl/debian/source/format
Modified:
    trunk/libcgi-simple-perl/debian/changelog
    trunk/libcgi-simple-perl/debian/control

Modified: trunk/libcgi-simple-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/changelog?rev=66136&op=diff
==============================================================================
--- trunk/libcgi-simple-perl/debian/changelog (original)
+++ trunk/libcgi-simple-perl/debian/changelog Wed Dec 22 20:47:10 2010
@@ -19,6 +19,11 @@
 
   [ Ansgar Burchardt ]
   * Update my email address.
+
+  [ Damyan Ivanov ]
+  * add a patch for CVE-2010-4410
+    + add libtest-exception-perl to dependencies
+  * use "3.0 (quilt)" source format
 
  -- Ryan Niebur <ryan at debian.org>  Fri, 25 Sep 2009 00:24:07 -0700
 

Modified: trunk/libcgi-simple-perl/debian/control
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/control?rev=66136&op=diff
==============================================================================
--- trunk/libcgi-simple-perl/debian/control (original)
+++ trunk/libcgi-simple-perl/debian/control Wed Dec 22 20:47:10 2010
@@ -3,7 +3,7 @@
 Priority: optional
 Build-Depends: debhelper (>= 7)
 Build-Depends-Indep: perl (>= 5.8.0-7), libwww-perl, libtest-pod-perl,
- libtest-pod-coverage-perl
+ libtest-pod-coverage-perl, libtest-exception-perl
 Maintainer: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
 Uploaders: Jose Luis Rivas <ghostbar38 at gmail.com>,
  gregor herrmann <gregoa at debian.org>,

Added: trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch?rev=66136&op=file
==============================================================================
--- trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch (added)
+++ trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch Wed Dec 22 20:47:10 2010
@@ -1,0 +1,57 @@
+Description: Fix CVS-2010-4410
+ Always check for CRLF in supplied header values and require that CRLF
+ is followed by a whitespace, in which case the CRLF is stripped.
+ Die if CRLF is followed by non-whitespace character.
+Bug-Debian: http://bugs.debian.org/606379
+Author: Damyan Ivanov <dmn at debian.org>
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=64160
+
+--- a/lib/CGI/Simple.pm
++++ b/lib/CGI/Simple.pm
+@@ -995,7 +995,12 @@ sub header {
+ 
+     # Don't use \s because of perl bug 21951
+     next
+-     unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/;
++     unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s;
++
++    my $CRLF = $self->crlf;
++    $value =~ s/$CRLF(\s)/$1/sg;
++    $value =~ /$CRLF/ and die "Invalid header value -- CRLF not followed by whitespace";
++
+     ( $_ = $header )
+      =~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e;
+   }
+--- /dev/null
++++ b/t/120.header-crlf.t
+@@ -0,0 +1,20 @@
++use strict;
++use Test::More tests => 2;
++use Test::Exception;
++use CGI::Simple;
++
++my $cgi = CGI::Simple->new;
++
++my $CRLF = $cgi->crlf;
++
++is( $cgi->header( '-Test' => "test$CRLF part" ),
++    "Test: test part"
++        . $CRLF
++        . 'Content-Type: text/html; charset=ISO-8859-1'
++        . $CRLF
++        . $CRLF
++);
++
++throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
++qr/Invalid header value -- CRLF not followed by whitespace at /,
++    'invalid CRLF caught';
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -11,6 +11,7 @@ WriteMakefile(
+   PL_FILES      => {},
+   PREREQ_PM     => {
+     'Test::More' => 0,
++    'Test::Exception' => 0,
+     'IO::Scalar' => 0
+   },
+   dist  => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', },

Added: trunk/libcgi-simple-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/patches/series?rev=66136&op=file
==============================================================================
--- trunk/libcgi-simple-perl/debian/patches/series (added)
+++ trunk/libcgi-simple-perl/debian/patches/series Wed Dec 22 20:47:10 2010
@@ -1,0 +1,2 @@
+cve-2010-4410.patch
+debian-changes-1.112-1

Added: trunk/libcgi-simple-perl/debian/source/format
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/source/format?rev=66136&op=file
==============================================================================
--- trunk/libcgi-simple-perl/debian/source/format (added)
+++ trunk/libcgi-simple-perl/debian/source/format Wed Dec 22 20:47:10 2010
@@ -1,0 +1,1 @@
+3.0 (quilt)

More information about the Pkg-perl-cvs-commits mailing list