r66725 - in /trunk/libcgi-simple-perl/debian: changelog patches/cve-2010-2761_multipart-boundary.patch patches/series
dmn at users.alioth.debian.org
dmn at users.alioth.debian.org
Fri Dec 31 15:55:56 UTC 2010
Author: dmn
Date: Fri Dec 31 15:55:49 2010
New Revision: 66725
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=66725
Log:
add a pattch for CVE-2010-2761
Added:
trunk/libcgi-simple-perl/debian/patches/cve-2010-2761_multipart-boundary.patch
Modified:
trunk/libcgi-simple-perl/debian/changelog
trunk/libcgi-simple-perl/debian/patches/series
Modified: trunk/libcgi-simple-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/changelog?rev=66725&op=diff
==============================================================================
--- trunk/libcgi-simple-perl/debian/changelog (original)
+++ trunk/libcgi-simple-perl/debian/changelog Fri Dec 31 15:55:49 2010
@@ -24,6 +24,7 @@
* add a patch for CVE-2010-4410
+ add libtest-exception-perl to dependencies
* use "3.0 (quilt)" source format
+ * add a pattch for CVE-2010-2761
-- Ryan Niebur <ryan at debian.org> Fri, 25 Sep 2009 00:24:07 -0700
Added: trunk/libcgi-simple-perl/debian/patches/cve-2010-2761_multipart-boundary.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/patches/cve-2010-2761_multipart-boundary.patch?rev=66725&op=file
==============================================================================
--- trunk/libcgi-simple-perl/debian/patches/cve-2010-2761_multipart-boundary.patch (added)
+++ trunk/libcgi-simple-perl/debian/patches/cve-2010-2761_multipart-boundary.patch Fri Dec 31 15:55:49 2010
@@ -1,0 +1,22 @@
+# Description: Provide a random multipart boundary
+# This helps prevent header injection and HTTP response splitting
+# http://security-tracker.debian.org/tracker/CVE-2010-2761
+# Origin: https://github.com/markstos/CGI.pm/commit/89aa3ae9a17c8eb29c4ba19d0a786ab9c4d37a24
+# Bug-Debian: http://bugs.debian.org/606379
+--- a/lib/CGI/Simple.pm
++++ b/lib/CGI/Simple.pm
+@@ -1110,7 +1110,13 @@ sub multipart_init {
+ my ( $self, @p ) = @_;
+ use CGI::Simple::Util qw(rearrange);
+ my ( $boundary, @other ) = rearrange( ['BOUNDARY'], @p );
+- $boundary = $boundary || '------- =_aaaaaaaaaa0';
++ unless ($boundary) {
++ $boundary = '------- =_';
++ my @chrs = ( '0' .. '9', 'A' .. 'Z', 'a' .. 'z' );
++ for ( 1 .. 17 ) {
++ $boundary .= $chrs[ rand( scalar @chrs ) ];
++ }
++ }
+ my $CRLF = $self->crlf; # get CRLF sequence
+ my $warning
+ = "WARNING: YOUR BROWSER DOESN'T SUPPORT THIS SERVER-PUSH TECHNOLOGY.";
Modified: trunk/libcgi-simple-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/patches/series?rev=66725&op=diff
==============================================================================
--- trunk/libcgi-simple-perl/debian/patches/series (original)
+++ trunk/libcgi-simple-perl/debian/patches/series Fri Dec 31 15:55:49 2010
@@ -1,1 +1,2 @@
cve-2010-4410.patch
+cve-2010-2761_multipart-boundary.patch
More information about the Pkg-perl-cvs-commits
mailing list