Fedora has issued an advisory on August 30, 2011: http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065416.html A patch is available from Fedora.
CC: (none) => jquelin
Assignee: bugsquad => jquelin
perl-Data-FormValidator-4.660.0-1.1.mga1 now available in core/updates_testing for mageia 1.
Assignee: jquelin => qa-bugs
Thanks Jerome. Would you have an example of a basic script that uses Data::FormValidator?
CC: (none) => stormi
rt ticket on upstream data::formvalidator has this snippet. ================================ #!/usr/bin/perl use strict; use warnings; use Data::FormValidator; "some_unrelated_string" =~ m/^.*$/; my $profile = { untaint_all_constraints => 1, required => [qw(a)], constraint_methods => { a => qr/will_never_match/, }, }; my $results = Data::FormValidator->check( { a => 1 }, $profile ); warn $results->valid('a'); ================================ but since i don't have a mageia 1 box at hand, i don't know what it does before patching. note however that the patch comes with a test checking that behaviour is changed. i tried the test before applying the patch => failure, when applying the full patch, test is working.
Thanks Jerome! Advisory: ======================== Updated perl-Data-FormValidator package fixes security vulnerability: The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input (CVE-2011-2201). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2201 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065416.html
Tested using test script from upstream RT ticket ( https://rt.cpan.org/Public/Bug/Display.html?id=61792#txn-1006168 ) ============================ use strict; use warnings; use Test::More tests => 3; use Data::FormValidator; "unrelated match" =~ /match/; my $result = Data::FormValidator->check( { a => 'invalid value' }, # input data { # validation profile untaint_all_constraints => 1, optional => ['a'], constraints => { a => qr/never matches/, }, }, ); ok( not $result->success ) or diag( 'Valid: ', $result->valid ); ok( $result->has_invalid ); is_deeply( scalar($result->invalid), { 'a' => [ qr/never matches/ ] } ); ============================= Output with version in release: [samuel@localhost QA]$ perl test2.pl 1..3 not ok 1 # Failed test at test2.pl line 19. # Valid: a not ok 2 # Failed test at test2.pl line 21. not ok 3 # Failed test at test2.pl line 22. # Structures begin differing at: # $got->{a} = Does not exist # $expected->{a} = ARRAY(0x88b0778) # Looks like you failed 3 tests of 3. Output with version in updates_testing: [samuel@localhost QA]$ perl test2.pl 1..3 ok 1 ok 2 ok 3 Testing complete i586.
Whiteboard: (none) => MGA1TOO has_procedure MGA1-32-OK
Whiteboard: MGA1TOO has_procedure MGA1-32-OK => has_procedure MGA1-32-OK
Testing complete on Mageia 1 x86-64. Could someone from the sysadmin team push the srpm perl-Data-FormValidator-4.660.0-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated perl-Data-FormValidator package fixes security vulnerability: The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input (CVE-2011-2201). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2201 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065416.html https://bugs.mageia.org/show_bug.cgi?id=7060
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0225
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED