Bug 10523 - perl-Dancer new security issue CVE-2012-5572
: perl-Dancer new security issue CVE-2012-5572
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/554228/
: MGA2TOO has_procedure MGA2-64-OK mga2...
: validated_update
  Show dependency treegraph
Reported: 2013-06-13 19:55 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Dancer-1.311.0-2.mga3.src.rpm
Status comment:


Description David Walser 2013-06-13 19:55:48 CEST
Fedora has issued an advisory on June 4:

Mageia 2 and Mageia 3 are also affected.


Steps to Reproduce:
Comment 1 Shlomi Fish 2013-06-18 16:07:27 CEST
(In reply to David Walser from comment #0)
> Fedora has issued an advisory on June 4:
> https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749.
> html
> Mageia 2 and Mageia 3 are also affected.
> Reproducible: 
> Steps to Reproduce:

Hi David!

This appears to already be fixed in the perl-Dancer that we have in Cauldron. Can we just upgrade the Dancer packages in Mageia 2 and Mageia 3 to their latest ones?


-- Shlomi Fish
Comment 2 David Walser 2013-06-18 16:26:29 CEST
Upgrading the module is how we've handled some security issues with perl modules in the past, so yes that sounds fine.  Thanks.
Comment 3 Shlomi Fish 2013-06-18 16:37:09 CEST
OK. I submitted perl-Dancer-1.311.500 {mga2,mga3} to http://pkgsubmit.mageia.org/ . One of them still has to build. I tested perl-Dancer for MGA2 and it seems fine.


-- Shlomi Fish
Comment 4 David Walser 2013-06-18 17:42:47 CEST
Thanks Shlomi!


Updated perl-Dancer package fixes security vulnerability:

A security flaw was found in the way Dancer.pm, lightweight yet powerful web
application framework / Perl language module, performed sanitization of values
to be used for cookie() and cookies() methods. A remote attacker could use this
flaw to inject arbitrary headers into responses from (Perl) applications, that
use Dancer.pm (CVE-2012-5572).


Updated packages in core/updates_testing:

from SRPMS:
Comment 5 Samuel Verschelde 2013-06-25 13:11:44 CEST
Testing MGA2 x86_64 using an upstream unit test:


I confirm there's a flaw in current Mageia 2 package:

$ perl test.pl
# Testing CVE-2012-5572 (CRLF in response headers)
ok 1 - a route exists for GET /CVE-2012-5572-cookie
not ok 2 - Headers do not contain CRLF (CVE-2012-5572)
#   Failed test 'Headers do not contain CRLF (CVE-2012-5572)'
#   at test.pl line 34.
# Looks like you failed 1 test of 2.

After installing the update candidate:

# urpmi perl-Dancer --search-media testing

$ perl test.pl
# Testing CVE-2012-5572 (CRLF in response headers)
ok 1 - a route exists for GET /CVE-2012-5572-cookie
ok 2 - Headers do not contain CRLF (CVE-2012-5572)

=> testing complete

Note : it adds a new depency to perl-Module-Runtime apparently
Comment 6 claire robinson 2013-06-25 14:16:19 CEST
Testing complete mga2 32

Thanks for the procedure Samuel
Comment 7 claire robinson 2013-06-25 14:24:31 CEST
Testing complete mga3 32 & 64

No added requires on Mageia 3. Mageia 2 does as Samuel mentioned.

I'll upload the advisory then validate
Comment 8 claire robinson 2013-06-25 14:34:34 CEST
Advisory uploaded


Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Comment 9 Nicolas Vigier 2013-06-26 20:28:02 CEST

Note You need to log in before you can comment on or make changes to this bug.