commit c91f4c020033d2c7a9e233ade12c5afa40f9d24b Author: Petr Písař <ppisar@xxxxxxxxxx> Date: Mon Jun 3 13:24:45 2013 +0200 Fix CVE-2012-5572 (cookie name CR-LF injection) Dancer-1.3113-CVE-2012-5572-1.patch | 59 +++++++++++++++++++++++++++++++++++ Dancer-1.3113-CVE-2012-5572-2.patch | 29 +++++++++++++++++ perl-Dancer.spec | 11 ++++++- 3 files changed, 98 insertions(+), 1 deletions(-) --- diff --git a/Dancer-1.3113-CVE-2012-5572-1.patch b/Dancer-1.3113-CVE-2012-5572-1.patch new file mode 100644 index 0000000..23c3628 --- /dev/null +++ b/Dancer-1.3113-CVE-2012-5572-1.patch @@ -0,0 +1,59 @@ +From d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2 Mon Sep 17 00:00:00 2001 +From: Colin Keith <colinmkeith@xxxxxxxxx> +Date: Sat, 25 May 2013 00:46:53 -0400 +Subject: [PATCH 1/2] test and resolution for CVE-2012-5572, \r\n sequence + being allowed in a cookie name fixes PerlDancer/Dancer#859 + +--- + t/12_response/11_CVE-2012-5572.t | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + create mode 100644 t/12_response/11_CVE-2012-5572.t + +diff --git a/t/12_response/11_CVE-2012-5572.t b/t/12_response/11_CVE-2012-5572.t +new file mode 100644 +index 0000000..2b6eacb +--- /dev/null ++++ b/t/12_response/11_CVE-2012-5572.t +@@ -0,0 +1,39 @@ ++package main; ++use strict; ++use warnings; ++use Test::More tests => 2, import => ['!pass']; ++ ++{ ++ use Dancer; ++ get '/CVE-2012-5572-cookie' => sub { ++ cookie "test\r\nX-Evil-Header: " => "evil"; ++ }; ++} ++ ++ ++use Dancer::Test; ++{ ++ note "Testing CVE-2012-5572 (CRLF in response headers)"; ++ my $req = [GET => '/CVE-2012-5572-cookie']; ++ route_exists $req; ++ my $response = Dancer::Test::_req_to_response($req); ++ ++ my $CRLF = "\r\n"; ++ ++ my $tb = Test::Builder->new; ++ my %headers = @{$response->headers_to_array}; ++ my $foundCRLF = 0; ++ while (my($name, $value) = each %headers) { ++ index($value, $CRLF) == -1 ++ && index($name, $CRLF) == -1 ++ && next; ++ $foundCRLF = 1; ++ last; ++ } ++ ++ $tb->ok(!$foundCRLF, 'Headers do not contain CRLF (CVE-2012-5572)'); ++} ++ ++ ++1; ++ +-- +1.8.1.4 + diff --git a/Dancer-1.3113-CVE-2012-5572-2.patch b/Dancer-1.3113-CVE-2012-5572-2.patch new file mode 100644 index 0000000..911f32b --- /dev/null +++ b/Dancer-1.3113-CVE-2012-5572-2.patch @@ -0,0 +1,29 @@ +From 46ef9124f3149f697455061499ac7cee40930349 Mon Sep 17 00:00:00 2001 +From: Colin Keith <colinmkeith@xxxxxxxxx> +Date: Sat, 25 May 2013 22:56:31 -0400 +Subject: [PATCH 2/2] resolution for CVE-2012-5572, \r\n sequence being allowed + in a cookie name fixes PerlDancer/Dancer#859 + +--- + lib/Dancer/Cookie.pm | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/Dancer/Cookie.pm b/lib/Dancer/Cookie.pm +index efcb1a3..e736ab8 100644 +--- a/lib/Dancer/Cookie.pm ++++ b/lib/Dancer/Cookie.pm +@@ -29,7 +29,10 @@ sub to_header { + my $value = join('&', map {uri_escape($_)} $self->value); + my $no_httponly = defined( $self->http_only ) && $self->http_only == 0; + +- my @headers = $self->name . '=' . $value; ++ my $name = $self->name; ++ $name =~ s/[=,; \t\r\n\013\014]//mg; ++ ++ my @headers = $name . '=' . $value; + push @headers, "path=" . $self->path if $self->path; + push @headers, "expires=" . $self->expires if $self->expires; + push @headers, "domain=" . $self->domain if $self->domain; +-- +1.8.1.4 + diff --git a/perl-Dancer.spec b/perl-Dancer.spec index 36c7be6..5fefe6d 100644 --- a/perl-Dancer.spec +++ b/perl-Dancer.spec @@ -1,6 +1,6 @@ Name: perl-Dancer Version: 1.3093 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Lightweight yet powerful web application framework License: GPL+ or Artistic Group: Development/Libraries @@ -8,6 +8,10 @@ URL: http://search.cpan.org/dist/Dancer/ Source0: http://www.cpan.org/authors/id/X/XS/XSAWYERX/Dancer-%{version}.tar.gz # Bug #960184, GitHub #PerlDancer/Dancer/919 Patch0: Dancer-1.3112-Return-non-zero-exit-code-on-bad-application-name.patch +# Bug #880330, test for CVE-2012-5572, GiHub #PerlDancer/Dancer/859 +Patch1: Dancer-1.3113-CVE-2012-5572-1.patch +# Bug #880330, fix for CVE-2012-5572, GiHub #PerlDancer/Dancer/859 +Patch2: Dancer-1.3113-CVE-2012-5572-2.patch BuildArch: noarch BuildRequires: perl(base) BuildRequires: perl(Carp) @@ -86,6 +90,8 @@ your code. %prep %setup -q -n Dancer-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -108,6 +114,9 @@ make test %{_mandir}/man3/* %changelog +* Mon Jun 03 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 1.3093-3 +- Fix CVE-2012-5572 (cookie name CR-LF injection) (bug #880330) + * Tue May 07 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 1.3093-2 - Return proper exit code on dancer tool failure (bug #960184) -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel