Bug 8236

Summary: perl-CGI new security issue CVE-2012-5526
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, jquelin, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/527349/
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK mga2-32-OK
Source RPM: perl-CGI-3.600.0-1.mga3.src.rpm CVE:
Status comment:
Bug Depends on: 2317    
Bug Blocks:    

Description David Walser 2012-11-28 20:13:20 CET 
Fedora has issued an advisory on November 16:
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093398.html

Fixed upstream in 3.63, Mageia 1, Mageia 2, and Cauldron should all be affected.
David Walser 2012-11-28 20:13:27 CET

Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 Jerome Quelin 2012-11-29 12:26:57 CET 
perl-CGI 3.63 available in core/updates_testing for both mageia 1 & mageia 2.
cauldron is already up to date.

qa : please validate & push to updates

Assignee: jquelin => qa-bugs

claire robinson 2012-11-29 12:33:54 CET

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 claire robinson 2012-11-29 12:34:44 CET 
Just need an advisory please.
claire robinson 2012-11-29 12:34:58 CET

CC: (none) => jquelin

Comment 3 Jerome Quelin 2012-11-29 12:45:05 CET 
Taken from fedora's advisory:

Fix CVE-2012-5526: escape new-lines in Set-Cookie and P3P HTTP response headers properly.
Comment 4 David Walser 2012-11-29 13:45:27 CET 
Thanks Jerome!

Advisory:
========================

Updated perl-CGI package fixes security vulnerability:

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1)
Set-Cookie or (2) P3P headers, which might allow remote attackers to inject
arbitrary headers into responses from applications that use CGI.pm
(CVE-2012-5526).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093398.html
========================

Updated packages in core/updates_testing:
========================
perl-CGI-3.630.0-1.mga1
perl-CGI-3.630.0-1.mga2

from SRPMS:
perl-CGI-3.630.0-1.mga1.src.rpm
perl-CGI-3.630.0-1.mga2.src.rpm
Comment 5 claire robinson 2012-11-29 14:02:13 CET 
Possible PoC: https://bugzilla.redhat.com/show_bug.cgi?id=876974
Comment 6 claire robinson 2012-11-29 14:07:37 CET 
Testing complete mga2 64

Confirmed the PoC.

Before
------
$ perl test8036
P3P: policyref="/w3c/p3p.xml", CP="foo
bar
baz"
Set-Cookie: foo
bar
baz
Date: Thu, 29 Nov 2012 13:04:20 GMT
Content-Type: text/html; charset=ISO-8859-1

After
-----
$ perl test8036
Invalid header value contains a newline not followed by whitespace: foo
bar
baz at (eval 3) line 34.

Whiteboard: MGA1TOO => MGA1TOO has_procedure mga2-64-OK

Comment 7 claire robinson 2012-11-29 14:29:03 CET 
Mga1 is affected by bug 2317

----------------------------------------
Mageia release 1 (Official) for i586
Latest version found in "Core Release" is perl-CGI-3.520.0-1.mga1
Latest version found in "Core Updates Testing" is perl-CGI-3.630.0-1.mga1
----------------------------------------
The following packages will require linking:

perl-Test-Harness-3.230.0-1.mga1 (Core Release)
perl-Test-Simple-0.980.0-1.mga1 (Core Release)
----------------------------------------

Depends on: (none) => 2317

Comment 8 claire robinson 2012-11-29 14:30:20 CET 
Testing complete mga1 32

Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-64-OK

Comment 9 claire robinson 2012-11-29 14:41:28 CET 
Testing complete mga1 64

Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK

Comment 10 Dave Hodgins 2012-11-29 21:58:17 CET 
Testing complete Mageia 2 i586.

Could someone from the sysadmin team push the srpm
perl-CGI-3.630.0-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
perl-CGI-3.630.0-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates and link the rpm packages
perl-Test-Harness-3.230.0-1.mga1 (Core Release)
perl-Test-Simple-0.980.0-1.mga1 (Core Release)
from Mageia 1 Core Release to Core Updates.

Advisory: Updated perl-CGI package fixes security vulnerability:

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1)
Set-Cookie or (2) P3P headers, which might allow remote attackers to inject
arbitrary headers into responses from applications that use CGI.pm
(CVE-2012-5526).

https://bugs.mageia.org/show_bug.cgi?id=8236

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK mga2-32-OK

Comment 11 Thomas Backlund 2012-11-29 22:46:52 CET 
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0346

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED