Bug 877015 (CVE-2012-5526)

Summary: CVE-2012-5526 perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mmaslano, perl-devel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 20:01:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 876974, 915690, 915691, 915692, 915693    
Bug Blocks: 877037    
Attachments:
Description Flags
Upstream fix
none
Fix ported to perl-5.10.1
none
Fix ported to perl-5.8.8 none

Description Jan Lieskovsky 2012-11-15 14:37:53 UTC 
A security flaw was found in the way CGI.pm, a Perl module to handle Common Gateway Interface requests and responses, performed sanitization of values to be used for Set-Cookie and P3P headers. If a Perl CGI.pm module based CGI application reused cookies values and accepted untrusted input from web browser(s), a remote attacker could use this flaw to in an unauthorized way alter member items of the cookie or add new items.

References:
[1] http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
[2] https://github.com/markstos/CGI.pm/pull/23
[3] https://bugzilla.redhat.com/show_bug.cgi?id=876974
Comment 1 Jan Lieskovsky 2012-11-15 14:41:33 UTC 
This issue affects the versions of the perl-CGI package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-11-15 14:49:09 UTC 
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2012/11/15/4
Comment 3 Jan Lieskovsky 2012-11-15 15:07:46 UTC 
This issue affects the versions of the perl package, as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 4 Vincent Danen 2012-11-15 21:47:02 UTC 
This was assigned CVE-2012-5526:

http://www.openwall.com/lists/oss-security/2012/11/15/6
Comment 5 Petr Pisar 2012-11-16 08:56:43 UTC 
Created attachment 646250 [details]
Upstream fix
Comment 6 Tomas Hoger 2012-11-16 09:25:24 UTC 
Upstream commits:

https://github.com/markstos/CGI.pm/commit/80f44433a43b51e5851218a08f6920adfb91991a
https://github.com/markstos/CGI.pm/commit/7bb474c5b308cf93298f96923280aa82a4a195ec
Comment 9 Fedora Update System 2012-11-23 07:54:17 UTC 
perl-CGI-3.51-10.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-11-28 11:36:19 UTC 
perl-CGI-3.51-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-12-12 00:28:17 UTC 
perl-CGI-3.59-235.fc18, perl-5.16.2-235.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-12-13 05:54:57 UTC 
perl-CGI-3.52-218.fc17, perl-5.14.3-218.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2012-12-18 02:24:45 UTC 
perl-CGI-3.52-203.fc16, perl-5.14.3-203.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Petr Pisar 2013-03-04 11:25:13 UTC 
Created attachment 704881 [details]
Fix ported to perl-5.10.1
Comment 16 Petr Pisar 2013-03-04 15:44:54 UTC 
Created attachment 705046 [details]
Fix ported to perl-5.8.8
Comment 17 errata-xmlrpc 2013-03-26 19:27:38 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0685 https://rhn.redhat.com/errata/RHSA-2013-0685.html