commit e5a0c9af8304bedcfdf695fbcbb0bf7191618e99
Author: Petr Písař <ppisar@xxxxxxxxxx>
Date: Mon Nov 26 14:24:51 2012 +0100
Fix CVE-2012-5526 for CGI-3.59
...n_cookies.patch => CGI-3.59-CVE-2012-5526.patch | 14 +++++++-------
perl-CGI.spec | 4 +++-
2 files changed, 10 insertions(+), 8 deletions(-)
---
diff --git a/CGI-3.51-escape_new_lines_in_cookies.patch b/CGI-3.59-CVE-2012-5526.patch
similarity index 90%
rename from CGI-3.51-escape_new_lines_in_cookies.patch
rename to CGI-3.59-CVE-2012-5526.patch
index 31f7e52..c8ef36c 100644
--- a/CGI-3.51-escape_new_lines_in_cookies.patch
+++ b/CGI-3.59-CVE-2012-5526.patch
@@ -1,22 +1,22 @@
-From bce370939e2a7cc02c0d66e6b1869815624cdf81 Mon Sep 17 00:00:00 2001
+From 283d915d164f9ad213aeefe888a8a79270d69cc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx>
-Date: Thu, 15 Nov 2012 14:32:18 +0100
-Subject: [PATCH] Escape new-lines in Cookie and P3P headers
+Date: Mon, 26 Nov 2012 14:14:00 +0100
+Subject: [PATCH] Escape new-lines in Cookie and P3P headers (CVE-2012-5526)
This is relevant difference between CGI 3.62 and 3.63.
See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.
-Back-ported for 3.51
+Port for CGI-3.59.
---
lib/CGI.pm | 24 ++++++++++++------------
t/headers.t | 6 ++++++
2 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/lib/CGI.pm b/lib/CGI.pm
-index d320d7f..7436a51 100644
+index 6084f0f..cb7c0ab 100644
--- a/lib/CGI.pm
+++ b/lib/CGI.pm
-@@ -1550,8 +1550,17 @@ sub header {
+@@ -1501,8 +1501,17 @@ sub header {
'EXPIRES','NPH','CHARSET',
'ATTACHMENT','P3P'],@p);
@@ -35,7 +35,7 @@ index d320d7f..7436a51 100644
if (defined $header) {
# From RFC 822:
# Unfolding is accomplished by regarding CRLF immediately
-@@ -1595,18 +1604,9 @@ sub header {
+@@ -1546,18 +1555,9 @@ sub header {
push(@header,"Status: $status") if $status;
push(@header,"Window-Target: $target") if $target;
diff --git a/perl-CGI.spec b/perl-CGI.spec
index f9dadf1..4e50997 100644
--- a/perl-CGI.spec
+++ b/perl-CGI.spec
@@ -6,7 +6,7 @@ License: GPL+ or Artistic
Group: Development/Libraries
Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI.pm-%{version}.tar.gz
# CVE-2012-5526, RHBZ #876974
-Patch0: CGI-3.51-escape_new_lines_in_cookies.patch
+Patch0: CGI-3.59-CVE-2012-5526.patch
URL: http://search.cpan.org/dist/CGI
BuildArch: noarch
BuildRequires: perl(ExtUtils::MakeMaker)
@@ -75,6 +75,8 @@ make test
%changelog
* Mon Nov 26 2012 Petr Pisar <ppisar@xxxxxxxxxx> - 3.59-1
- 3.59 bump
+- Fix CVE-2012-5526 (Escape new-lines in Set-Cookie and P3P response headers
+ properly) (bug #876974)
* Fri Nov 16 2012 Petr Pisar <ppisar@xxxxxxxxxx> - 3.51-10
- Improper new-line escaping in Set-Cookie and P3P headers is known as
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
