Bug 8236 - perl-CGI new security issue CVE-2012-5526
: perl-CGI new security issue CVE-2012-5526
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/527349/
: MGA1TOO has_procedure mga1-32-OK mga1...
: validated_update
: 2317
:
  Show dependency treegraph
 
Reported: 2012-11-28 20:13 CET by David Walser
Modified: 2012-11-29 22:46 CET (History)
4 users (show)

See Also:
Source RPM: perl-CGI-3.600.0-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2012-11-28 20:13:20 CET
Fedora has issued an advisory on November 16:
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093398.html

Fixed upstream in 3.63, Mageia 1, Mageia 2, and Cauldron should all be affected.
Comment 1 Jerome Quelin 2012-11-29 12:26:57 CET
perl-CGI 3.63 available in core/updates_testing for both mageia 1 & mageia 2.
cauldron is already up to date.

qa : please validate & push to updates
Comment 2 claire robinson 2012-11-29 12:34:44 CET
Just need an advisory please.
Comment 3 Jerome Quelin 2012-11-29 12:45:05 CET
Taken from fedora's advisory:

Fix CVE-2012-5526: escape new-lines in Set-Cookie and P3P HTTP response headers properly.
Comment 4 David Walser 2012-11-29 13:45:27 CET
Thanks Jerome!

Advisory:
========================

Updated perl-CGI package fixes security vulnerability:

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1)
Set-Cookie or (2) P3P headers, which might allow remote attackers to inject
arbitrary headers into responses from applications that use CGI.pm
(CVE-2012-5526).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093398.html
========================

Updated packages in core/updates_testing:
========================
perl-CGI-3.630.0-1.mga1
perl-CGI-3.630.0-1.mga2

from SRPMS:
perl-CGI-3.630.0-1.mga1.src.rpm
perl-CGI-3.630.0-1.mga2.src.rpm
Comment 5 claire robinson 2012-11-29 14:02:13 CET
Possible PoC: https://bugzilla.redhat.com/show_bug.cgi?id=876974
Comment 6 claire robinson 2012-11-29 14:07:37 CET
Testing complete mga2 64

Confirmed the PoC.

Before
------
$ perl test8036
P3P: policyref="/w3c/p3p.xml", CP="foo
bar
baz"
Set-Cookie: foo
bar
baz
Date: Thu, 29 Nov 2012 13:04:20 GMT
Content-Type: text/html; charset=ISO-8859-1

After
-----
$ perl test8036
Invalid header value contains a newline not followed by whitespace: foo
bar
baz at (eval 3) line 34.
Comment 7 claire robinson 2012-11-29 14:29:03 CET
Mga1 is affected by bug 2317

----------------------------------------
Mageia release 1 (Official) for i586
Latest version found in "Core Release" is perl-CGI-3.520.0-1.mga1
Latest version found in "Core Updates Testing" is perl-CGI-3.630.0-1.mga1
----------------------------------------
The following packages will require linking:

perl-Test-Harness-3.230.0-1.mga1 (Core Release)
perl-Test-Simple-0.980.0-1.mga1 (Core Release)
----------------------------------------
Comment 8 claire robinson 2012-11-29 14:30:20 CET
Testing complete mga1 32
Comment 9 claire robinson 2012-11-29 14:41:28 CET
Testing complete mga1 64
Comment 10 Dave Hodgins 2012-11-29 21:58:17 CET
Testing complete Mageia 2 i586.

Could someone from the sysadmin team push the srpm
perl-CGI-3.630.0-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
perl-CGI-3.630.0-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates and link the rpm packages
perl-Test-Harness-3.230.0-1.mga1 (Core Release)
perl-Test-Simple-0.980.0-1.mga1 (Core Release)
from Mageia 1 Core Release to Core Updates.

Advisory: Updated perl-CGI package fixes security vulnerability:

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1)
Set-Cookie or (2) P3P headers, which might allow remote attackers to inject
arbitrary headers into responses from applications that use CGI.pm
(CVE-2012-5526).

https://bugs.mageia.org/show_bug.cgi?id=8236
Comment 11 Thomas Backlund 2012-11-29 22:46:52 CET
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0346

Note You need to log in before you can comment on or make changes to this bug.