[perl-CGI/f18] Fix CVE-2012-5526 for CGI-3.59

Petr Pisar ppisar at fedoraproject.org
Mon Nov 26 13:36:34 UTC 2012 

commit e5a0c9af8304bedcfdf695fbcbb0bf7191618e99
Author: Petr Písař <ppisar at redhat.com>
Date:   Mon Nov 26 14:24:51 2012 +0100

    Fix CVE-2012-5526 for CGI-3.59

 ...n_cookies.patch => CGI-3.59-CVE-2012-5526.patch |   14 +++++++-------
 perl-CGI.spec                                      |    4 +++-
 2 files changed, 10 insertions(+), 8 deletions(-)
---
diff --git a/CGI-3.51-escape_new_lines_in_cookies.patch b/CGI-3.59-CVE-2012-5526.patch
similarity index 90%
rename from CGI-3.51-escape_new_lines_in_cookies.patch
rename to CGI-3.59-CVE-2012-5526.patch
index 31f7e52..c8ef36c 100644
--- a/CGI-3.51-escape_new_lines_in_cookies.patch
+++ b/CGI-3.59-CVE-2012-5526.patch
@@ -1,22 +1,22 @@
-From bce370939e2a7cc02c0d66e6b1869815624cdf81 Mon Sep 17 00:00:00 2001
+From 283d915d164f9ad213aeefe888a8a79270d69cc3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
-Date: Thu, 15 Nov 2012 14:32:18 +0100
-Subject: [PATCH] Escape new-lines in Cookie and P3P headers
+Date: Mon, 26 Nov 2012 14:14:00 +0100
+Subject: [PATCH] Escape new-lines in Cookie and P3P headers (CVE-2012-5526)
 
 This is relevant difference between CGI 3.62 and 3.63.
 See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.
 
-Back-ported for 3.51
+Port for CGI-3.59.
 ---
  lib/CGI.pm  | 24 ++++++++++++------------
  t/headers.t |  6 ++++++
  2 files changed, 18 insertions(+), 12 deletions(-)
 
 diff --git a/lib/CGI.pm b/lib/CGI.pm
-index d320d7f..7436a51 100644
+index 6084f0f..cb7c0ab 100644
 --- a/lib/CGI.pm
 +++ b/lib/CGI.pm
-@@ -1550,8 +1550,17 @@ sub header {
+@@ -1501,8 +1501,17 @@ sub header {
                              'EXPIRES','NPH','CHARSET',
                              'ATTACHMENT','P3P'], at p);
  
@@ -35,7 +35,7 @@ index d320d7f..7436a51 100644
          if (defined $header) {
              # From RFC 822:
              # Unfolding  is  accomplished  by regarding   CRLF   immediately
-@@ -1595,18 +1604,9 @@ sub header {
+@@ -1546,18 +1555,9 @@ sub header {
  
      push(@header,"Status: $status") if $status;
      push(@header,"Window-Target: $target") if $target;
diff --git a/perl-CGI.spec b/perl-CGI.spec
index f9dadf1..4e50997 100644
--- a/perl-CGI.spec
+++ b/perl-CGI.spec
@@ -6,7 +6,7 @@ License:        GPL+ or Artistic
 Group:          Development/Libraries
 Source0:        http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI.pm-%{version}.tar.gz
 # CVE-2012-5526, RHBZ #876974
-Patch0:         CGI-3.51-escape_new_lines_in_cookies.patch
+Patch0:         CGI-3.59-CVE-2012-5526.patch
 URL:            http://search.cpan.org/dist/CGI
 BuildArch:      noarch
 BuildRequires:  perl(ExtUtils::MakeMaker)
@@ -75,6 +75,8 @@ make test
 %changelog
 * Mon Nov 26 2012 Petr Pisar <ppisar at redhat.com> - 3.59-1
 - 3.59 bump
+- Fix CVE-2012-5526 (Escape new-lines in Set-Cookie and P3P response headers
+  properly) (bug #876974)
 
 * Fri Nov 16 2012 Petr Pisar <ppisar at redhat.com> - 3.51-10
 - Improper new-line escaping in Set-Cookie and P3P headers is known as

More information about the scm-commits mailing list