Bug 880329 - (CVE-2012-5572) CVE-2012-5572 perl-Dancer: Newline injection due to improper CRLF escaping in cookie() and cookies() methods
CVE-2012-5572 perl-Dancer: Newline injection due to improper CRLF escaping in...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
https://github.com/sukria/Dancer/issu...
impact=moderate,public=20121115,repor...
: Security
Depends On: 880330
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-26 12:51 EST by Jan Lieskovsky
Modified: 2013-06-13 01:58 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-11-26 12:51:18 EST
A security flaw was found in the way Dancer.pm, lightweight yet powerful web application framework / Perl language module, performed sanitization of values to be used for cookie() and cookies() methods. A remote attacker could use this flaw to inject arbitrary headers into responses from (Perl) applications, that use Dancer.pm. A different vulnerability than CVE-2012-5526.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694279
[2] https://github.com/sukria/Dancer/issues/859
Comment 1 Jan Lieskovsky 2012-11-26 12:57:54 EST
This issue affects the versions of the perl-Dancer package, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch is available).
Comment 2 Jan Lieskovsky 2012-11-26 12:58:46 EST
Created perl-Dancer tracking bugs for this issue

Affects: fedora-all [bug 880330]
Comment 3 Jan Lieskovsky 2012-11-26 13:14:56 EST
CVE Request:
  http://www.openwall.com/lists/oss-security/2012/11/26/8
Comment 4 Jan Lieskovsky 2012-11-27 05:36:43 EST
The CVE identifier of CVE-2012-5572 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2012/11/26/10
Comment 5 Petr Pisar 2013-06-03 06:58:31 EDT
Upstream states the fix is available in commit:

commit 46ef9124f3149f697455061499ac7cee40930349
Author: Colin Keith <colinmkeith@gmail.com>
Date:   Sat May 25 22:56:31 2013 -0400

    resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859

diff --git a/lib/Dancer/Cookie.pm b/lib/Dancer/Cookie.pm
index efcb1a3..e736ab8 100644
--- a/lib/Dancer/Cookie.pm
+++ b/lib/Dancer/Cookie.pm
@@ -29,7 +29,10 @@ sub to_header {
     my $value       = join('&', map {uri_escape($_)} $self->value);
     my $no_httponly = defined( $self->http_only ) && $self->http_only == 0;
 
-    my @headers = $self->name . '=' . $value;
+    my $name = $self->name;
+    $name =~ s/[=,; \t\r\n\013\014]//mg;
+
+    my @headers = $name . '=' . $value;
     push @headers, "path=" . $self->path        if $self->path;
     push @headers, "expires=" . $self->expires  if $self->expires;
     push @headers, "domain=" . $self->domain    if $self->domain;


Upstream added tests for this issue with commit:

commit d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2
Author: Colin Keith <colinmkeith@gmail.com>
Date:   Sat May 25 00:46:53 2013 -0400

    test and resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859
Comment 6 Fedora Update System 2013-06-11 23:36:34 EDT
perl-Dancer-1.3111-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-13 01:56:28 EDT
perl-Dancer-1.3093-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-13 01:58:13 EDT
perl-Dancer-1.3100-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.