commit 1a1c98fe8aa117de0a6a64678135ae1b1eee96c7 Author: Tom "spot" Callaway <tcallawa@xxxxxxxxxx> Date: Fri Jan 21 11:35:30 2011 -0500 1.113 + CVE-2010-4411 patch .gitignore | 1 + perl-CGI-Simple-CVE-2010-4411.patch | 12 ++++++++++++ perl-CGI-Simple.spec | 13 ++++++++----- sources | 2 +- 4 files changed, 22 insertions(+), 6 deletions(-) --- diff --git a/.gitignore b/.gitignore index c330099..758aa66 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ CGI-Simple-1.112.tar.gz +/CGI-Simple-1.113.tar.gz diff --git a/perl-CGI-Simple-CVE-2010-4411.patch b/perl-CGI-Simple-CVE-2010-4411.patch new file mode 100644 index 0000000..953c1ce --- /dev/null +++ b/perl-CGI-Simple-CVE-2010-4411.patch @@ -0,0 +1,12 @@ +diff -up CGI-Simple-1.113/lib/CGI/Simple.pm.BAD CGI-Simple-1.113/lib/CGI/Simple.pm +--- CGI-Simple-1.113/lib/CGI/Simple.pm.BAD 2011-01-21 11:29:26.906996002 -0500 ++++ CGI-Simple-1.113/lib/CGI/Simple.pm 2011-01-21 11:29:39.805996001 -0500 +@@ -1007,7 +1007,7 @@ sub header { + $header =~ s/$CRLF(\s)/$1/g; + + # All other uses of newlines are invalid input. +- if ( $header =~ m/$CRLF/ ) { ++ if ($header =~ m/$CRLF|\015|\012/) { + # shorten very long values in the diagnostic + $header = substr( $header, 0, 72 ) . '...' + if ( length $header > 72 ); diff --git a/perl-CGI-Simple.spec b/perl-CGI-Simple.spec index cc9748a..1ff24a8 100644 --- a/perl-CGI-Simple.spec +++ b/perl-CGI-Simple.spec @@ -1,13 +1,13 @@ Name: perl-CGI-Simple -Version: 1.112 -Release: 2%{?dist} +Version: 1.113 +Release: 1%{?dist} Summary: Simple totally OO CGI interface that is CGI.pm compliant Group: Development/Libraries License: GPL+ or Artistic URL: http://search.cpan.org/dist/CGI-Simple/ Source0: http://search.cpan.org/CPAN/authors/id/A/AN/ANDYA/CGI-Simple-%{version}.tar.gz -# https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 -Patch0: perl-CGI-Simple-boundary-fix.patch +# https://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da +Patch0: perl-CGI-Simple-CVE-2010-4411.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch @@ -19,7 +19,7 @@ Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) %prep %setup -q -n CGI-Simple-%{version} -%patch0 -p1 -b .boundary-fix +%patch0 -p1 -b .CVE-2010-4411 chmod -x Changes README perldoc -t perlartistic > Artistic perldoc -t perlgpl > COPYING @@ -50,6 +50,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jan 21 2011 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 1.113-1 +- Update to 1.113, apply additional patch to fully resolve CVE-2010-4411 + * Wed Dec 1 2010 Tom "spot" Callaway <tcallawa@xxxxxxxxxx> - 1.112-2 - patch for randomizing boundary (bz 658973) diff --git a/sources b/sources index cbff1fd..4b0be10 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6a59dd252317b94fffe0aa3fdae206c7 CGI-Simple-1.112.tar.gz +50c50dbec87b822e3f2285e41cb23519 CGI-Simple-1.113.tar.gz -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel