Bug 10523 - perl-Dancer new security issue CVE-2012-5572
: perl-Dancer new security issue CVE-2012-5572
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/554228/
: MGA2TOO has_procedure MGA2-64-OK mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-13 19:55 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Dancer-1.311.0-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-13 19:55:48 CEST
Fedora has issued an advisory on June 4:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Shlomi Fish 2013-06-18 16:07:27 CEST
(In reply to David Walser from comment #0)
> Fedora has issued an advisory on June 4:
> https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749.
> html
> 
> Mageia 2 and Mageia 3 are also affected.
> 
> Reproducible: 
> 
> Steps to Reproduce:

Hi David!

This appears to already be fixed in the perl-Dancer that we have in Cauldron. Can we just upgrade the Dancer packages in Mageia 2 and Mageia 3 to their latest ones?

Regards,

-- Shlomi Fish
Comment 2 David Walser 2013-06-18 16:26:29 CEST
Upgrading the module is how we've handled some security issues with perl modules in the past, so yes that sounds fine.  Thanks.
Comment 3 Shlomi Fish 2013-06-18 16:37:09 CEST
OK. I submitted perl-Dancer-1.311.500 {mga2,mga3} to http://pkgsubmit.mageia.org/ . One of them still has to build. I tested perl-Dancer for MGA2 and it seems fine.

Regards,

-- Shlomi Fish
Comment 4 David Walser 2013-06-18 17:42:47 CEST
Thanks Shlomi!

Advisory:
========================

Updated perl-Dancer package fixes security vulnerability:

A security flaw was found in the way Dancer.pm, lightweight yet powerful web
application framework / Perl language module, performed sanitization of values
to be used for cookie() and cookies() methods. A remote attacker could use this
flaw to inject arbitrary headers into responses from (Perl) applications, that
use Dancer.pm (CVE-2012-5572).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5572
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749.html
========================

Updated packages in core/updates_testing:
========================
perl-Dancer-1.311.500-1.mga2
perl-Dancer-1.311.500-1.mga3

from SRPMS:
perl-Dancer-1.311.500-1.mga2.src.rpm
perl-Dancer-1.311.500-1.mga3.src.rpm
Comment 5 Samuel Verschelde 2013-06-25 13:11:44 CEST
Testing MGA2 x86_64 using an upstream unit test:

https://github.com/PerlDancer/Dancer/blob/devel/t/12_response/11_CVE-2012-5572.t

I confirm there's a flaw in current Mageia 2 package:

$ perl test.pl
1..2
# Testing CVE-2012-5572 (CRLF in response headers)
ok 1 - a route exists for GET /CVE-2012-5572-cookie
not ok 2 - Headers do not contain CRLF (CVE-2012-5572)
#   Failed test 'Headers do not contain CRLF (CVE-2012-5572)'
#   at test.pl line 34.
# Looks like you failed 1 test of 2.

After installing the update candidate:

# urpmi perl-Dancer --search-media testing

$ perl test.pl
1..2
# Testing CVE-2012-5572 (CRLF in response headers)
ok 1 - a route exists for GET /CVE-2012-5572-cookie
ok 2 - Headers do not contain CRLF (CVE-2012-5572)

=> testing complete

Note : it adds a new depency to perl-Module-Runtime apparently
Comment 6 claire robinson 2013-06-25 14:16:19 CEST
Testing complete mga2 32

Thanks for the procedure Samuel
Comment 7 claire robinson 2013-06-25 14:24:31 CEST
Testing complete mga3 32 & 64

No added requires on Mageia 3. Mageia 2 does as Samuel mentioned.

I'll upload the advisory then validate
Comment 8 claire robinson 2013-06-25 14:34:34 CEST
Advisory uploaded

Validating

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
Comment 9 Nicolas Vigier 2013-06-26 20:28:02 CEST
http://advisories.mageia.org/MGASA-2013-0183.html

Note You need to log in before you can comment on or make changes to this bug.