This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 876974

Summary: CVE-2012-5526 perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers [fedora-all]
Product: [Fedora] Fedora Reporter: Petr Pisar <ppisar>
Component: perl-CGIAssignee: Petr Pisar <ppisar>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: jlieskov, mmaslano, perl-devel
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=876951
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-17 21:24:31 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 877015    
Attachments:
Description Flags
Upstream fix none

Description Petr Pisar 2012-11-15 07:40:35 EST
$ cat test
#!/usr/bin/perl
use strict;
use warnings;
use CGI qw/header/;

print header(
   -cookie => [ "foo\nbar\nbaz", ],
   -p3p    => [ "foo\nbar\nbaz", ],
);

$ ./test
P3P: policyref="/w3c/p3p.xml", CP="foo
bar
baz"
Set-Cookie: foo
bar
baz
Date: Thu, 15 Nov 2012 12:23:39 GMT
Content-Type: text/html; charset=ISO-8859-1

Fixed in upstream CGI-3.63.

F<19 are affected.
Comment 1 Petr Pisar 2012-11-15 07:44:36 EST
Created attachment 645610 [details]
Upstream fix
Comment 2 Fedora Update System 2012-11-15 08:51:58 EST
perl-CGI-3.51-9.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-9.fc18
Comment 3 Fedora Update System 2012-11-15 08:56:10 EST
perl-CGI-3.51-6.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-6.fc17
Comment 4 Fedora Update System 2012-11-15 08:58:18 EST
perl-CGI-3.51-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-5.fc16
Comment 5 Fedora Update System 2012-11-15 15:03:04 EST
Package perl-CGI-3.51-9.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-CGI-3.51-9.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18287/perl-CGI-3.51-9.fc18
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-11-16 03:46:30 EST
perl-CGI-3.51-10.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/perl-CGI-3.51-10.fc18
Comment 7 Fedora Update System 2012-11-23 02:54:08 EST
perl-CGI-3.51-10.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Petr Pisar 2012-11-23 04:40:43 EST
Bug in bodhi. It closed this report despite F17 and F16 builds have not yet reached stable repository.
Comment 9 Petr Pisar 2012-11-26 07:29:11 EST
We distributed newer CGI module (perl-CGI-3.52) with perl. I need to upgrade standalone perl-CGI to 3.52 version and apply the fix on top make highest version available to users.
Comment 10 Fedora Update System 2012-11-26 09:17:12 EST
perl-CGI-3.59-235.fc18,perl-5.16.2-235.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/perl-CGI-3.59-235.fc18,perl-5.16.2-235.fc18
Comment 11 Fedora Update System 2012-11-26 10:03:59 EST
perl-CGI-3.52-218.fc17,perl-5.14.3-218.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/perl-CGI-3.52-218.fc17,perl-5.14.3-218.fc17
Comment 12 Fedora Update System 2012-11-27 04:52:45 EST
Package perl-CGI-3.59-235.fc18, perl-5.16.2-235.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-CGI-3.59-235.fc18 perl-5.16.2-235.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19125/perl-CGI-3.59-235.fc18,perl-5.16.2-235.fc18
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-11-28 06:36:09 EST
perl-CGI-3.51-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Petr Pisar 2012-11-28 06:44:46 EST
Bug in bodhi. It closed this report despite F17 and F16 builds have not yet reached stable repository.
Comment 15 Fedora Update System 2012-12-11 19:28:07 EST
perl-CGI-3.59-235.fc18, perl-5.16.2-235.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Petr Pisar 2012-12-12 07:24:20 EST
Bug in bodhi. F16 and F17 is still in testing phase.
Comment 17 Fedora Update System 2012-12-13 00:54:47 EST
perl-CGI-3.52-218.fc17, perl-5.14.3-218.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Petr Pisar 2012-12-13 04:11:49 EST
Bug in bodhi. F16 is still in testing phase.
Comment 19 Fedora Update System 2012-12-17 21:24:35 EST
perl-CGI-3.52-203.fc16, perl-5.14.3-203.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.