Bug 880329 (CVE-2012-5572)
| Summary: | CVE-2012-5572 perl-Dancer: Newline injection due to improper CRLF escaping in cookie() and cookies() methods | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, mmaslano, perl-devel, ppisar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/sukria/Dancer/issues/859 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:59:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 880330 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2012-11-26 17:51:18 UTC
This issue affects the versions of the perl-Dancer package, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch is available). Created perl-Dancer tracking bugs for this issue Affects: fedora-all [bug 880330] The CVE identifier of CVE-2012-5572 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/11/26/10 Upstream states the fix is available in commit:
commit 46ef9124f3149f697455061499ac7cee40930349
Author: Colin Keith <colinmkeith>
Date: Sat May 25 22:56:31 2013 -0400
resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859
diff --git a/lib/Dancer/Cookie.pm b/lib/Dancer/Cookie.pm
index efcb1a3..e736ab8 100644
--- a/lib/Dancer/Cookie.pm
+++ b/lib/Dancer/Cookie.pm
@@ -29,7 +29,10 @@ sub to_header {
my $value = join('&', map {uri_escape($_)} $self->value);
my $no_httponly = defined( $self->http_only ) && $self->http_only == 0;
- my @headers = $self->name . '=' . $value;
+ my $name = $self->name;
+ $name =~ s/[=,; \t\r\n\013\014]//mg;
+
+ my @headers = $name . '=' . $value;
push @headers, "path=" . $self->path if $self->path;
push @headers, "expires=" . $self->expires if $self->expires;
push @headers, "domain=" . $self->domain if $self->domain;
Upstream added tests for this issue with commit:
commit d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2
Author: Colin Keith <colinmkeith>
Date: Sat May 25 00:46:53 2013 -0400
test and resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859
perl-Dancer-1.3111-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. perl-Dancer-1.3093-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. perl-Dancer-1.3100-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |