Bug 876974

Summary: CVE-2012-5526 perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers [fedora-all]
Product: [Fedora] Fedora Reporter: Petr Pisar <ppisar>
Component: perl-CGIAssignee: Petr Pisar <ppisar>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: jlieskov, mmaslano, perl-devel
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-18 02:24:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 877015    
Attachments:
Description Flags
Upstream fix none

Description Petr Pisar 2012-11-15 12:40:35 UTC 
$ cat test
#!/usr/bin/perl
use strict;
use warnings;
use CGI qw/header/;

print header(
   -cookie => [ "foo\nbar\nbaz", ],
   -p3p    => [ "foo\nbar\nbaz", ],
);

$ ./test
P3P: policyref="/w3c/p3p.xml", CP="foo
bar
baz"
Set-Cookie: foo
bar
baz
Date: Thu, 15 Nov 2012 12:23:39 GMT
Content-Type: text/html; charset=ISO-8859-1

Fixed in upstream CGI-3.63.

F<19 are affected.
Comment 1 Petr Pisar 2012-11-15 12:44:36 UTC 
Created attachment 645610 [details]
Upstream fix
Comment 2 Fedora Update System 2012-11-15 13:51:58 UTC 
perl-CGI-3.51-9.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-9.fc18
Comment 3 Fedora Update System 2012-11-15 13:56:10 UTC 
perl-CGI-3.51-6.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-6.fc17
Comment 4 Fedora Update System 2012-11-15 13:58:18 UTC 
perl-CGI-3.51-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-5.fc16
Comment 5 Fedora Update System 2012-11-15 20:03:04 UTC 
Package perl-CGI-3.51-9.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-CGI-3.51-9.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18287/perl-CGI-3.51-9.fc18
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-11-16 08:46:30 UTC 
perl-CGI-3.51-10.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-10.fc18
Comment 7 Fedora Update System 2012-11-23 07:54:08 UTC 
perl-CGI-3.51-10.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Petr Pisar 2012-11-23 09:40:43 UTC 
Bug in bodhi. It closed this report despite F17 and F16 builds have not yet reached stable repository.
Comment 9 Petr Pisar 2012-11-26 12:29:11 UTC 
We distributed newer CGI module (perl-CGI-3.52) with perl. I need to upgrade standalone perl-CGI to 3.52 version and apply the fix on top make highest version available to users.
Comment 10 Fedora Update System 2012-11-26 14:17:12 UTC 
perl-CGI-3.59-235.fc18,perl-5.16.2-235.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/perl-CGI-3.59-235.fc18,perl-5.16.2-235.fc18
Comment 11 Fedora Update System 2012-11-26 15:03:59 UTC 
perl-CGI-3.52-218.fc17,perl-5.14.3-218.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/perl-CGI-3.52-218.fc17,perl-5.14.3-218.fc17
Comment 12 Fedora Update System 2012-11-27 09:52:45 UTC 
Package perl-CGI-3.59-235.fc18, perl-5.16.2-235.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-CGI-3.59-235.fc18 perl-5.16.2-235.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19125/perl-CGI-3.59-235.fc18,perl-5.16.2-235.fc18
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-11-28 11:36:09 UTC 
perl-CGI-3.51-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Petr Pisar 2012-11-28 11:44:46 UTC 
Bug in bodhi. It closed this report despite F17 and F16 builds have not yet reached stable repository.
Comment 15 Fedora Update System 2012-12-12 00:28:07 UTC 
perl-CGI-3.59-235.fc18, perl-5.16.2-235.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Petr Pisar 2012-12-12 12:24:20 UTC 
Bug in bodhi. F16 and F17 is still in testing phase.
Comment 17 Fedora Update System 2012-12-13 05:54:47 UTC 
perl-CGI-3.52-218.fc17, perl-5.14.3-218.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Petr Pisar 2012-12-13 09:11:49 UTC 
Bug in bodhi. F16 is still in testing phase.
Comment 19 Fedora Update System 2012-12-18 02:24:35 UTC 
perl-CGI-3.52-203.fc16, perl-5.14.3-203.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.