Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

[Niko Tyni]

On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:

> Assuming this is the case, I'm attaching preliminary patches for
> 
> 3.29 (perl-modules   / lenny)
> 3.38 (libcgi-pm-perl / lenny)
> 3.43 (perl-modules   / squeeze + sid)
> 3.49 (libcgi-pm-perl / squeeze)
> 3.50 (libcgi-pm-perl / sid)
> 
> They include relevant test suite additions from the github repository
> and a small test fix I sent to [rt.cpan.org #64261].

> Eyeballs and testing would be welcome. In particular, I'm not entirely
> sure about the //s modifier change in header() around CGI.pm:1500 in
> the pre-3.49 patches. The change was introduced upstream with 3.49 along
> with the header fixes but it's not covered by the test suite.

I believe this change has no effect: the earlier part of the code checks that
there are no newlines in the header string, so //s should make no difference.

I'll probably include it anyway.

However, my testing turned out another problem. This hunk from the pre-3.49
patches:

> +Note that if a header value contains a carriage return, a leading space will be
> +added to each new line that doesn't already have one as specified by RFC2616
> +section 4.2.  For example:
> +
> +    print header( -ingredients => "ham\neggs\nbacon" );
> +
> +will generate
> +
> +    Ingredients: ham
> +     eggs
> +     bacon
> +

is only true for 3.49; it broke with 3.50 and further with 3.51 due
to the same security changes we're working on. I've reported this as

 http://rt.cpan.org/Public/Bug/Display.html?id=64554 

and will probably just drop the above doc change from the perl-modules patch.

Furthermore, the perl-modules patches need an additional change to the
top-level MANIFEST so that the tests actually get run.

All this means I need another test session when I'm feeling less tired,
so no perl upload tonight.
-- 
Niko Tyni   ntyni at debian.org