A security flaw was found in the way Dancer.pm, lightweight yet powerful web application framework / Perl language module, performed sanitization of values to be used for cookie() and cookies() methods. A remote attacker could use this flaw to inject arbitrary headers into responses from (Perl) applications, that use Dancer.pm. A different vulnerability than CVE-2012-5526. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694279 [2] https://github.com/sukria/Dancer/issues/859
This issue affects the versions of the perl-Dancer package, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch is available).
Created perl-Dancer tracking bugs for this issue Affects: fedora-all [bug 880330]
CVE Request: http://www.openwall.com/lists/oss-security/2012/11/26/8
The CVE identifier of CVE-2012-5572 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/11/26/10
Upstream states the fix is available in commit: commit 46ef9124f3149f697455061499ac7cee40930349 Author: Colin Keith <colinmkeith> Date: Sat May 25 22:56:31 2013 -0400 resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859 diff --git a/lib/Dancer/Cookie.pm b/lib/Dancer/Cookie.pm index efcb1a3..e736ab8 100644 --- a/lib/Dancer/Cookie.pm +++ b/lib/Dancer/Cookie.pm @@ -29,7 +29,10 @@ sub to_header { my $value = join('&', map {uri_escape($_)} $self->value); my $no_httponly = defined( $self->http_only ) && $self->http_only == 0; - my @headers = $self->name . '=' . $value; + my $name = $self->name; + $name =~ s/[=,; \t\r\n\013\014]//mg; + + my @headers = $name . '=' . $value; push @headers, "path=" . $self->path if $self->path; push @headers, "expires=" . $self->expires if $self->expires; push @headers, "domain=" . $self->domain if $self->domain; Upstream added tests for this issue with commit: commit d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2 Author: Colin Keith <colinmkeith> Date: Sat May 25 00:46:53 2013 -0400 test and resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859
perl-Dancer-1.3111-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-Dancer-1.3093-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
perl-Dancer-1.3100-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.