[perl-Dancer/f18] Fix CVE-2012-5572 (cookie name CR-LF injection)

Petr Pisar ppisar at fedoraproject.org
Mon Jun 3 11:56:25 UTC 2013 

commit 0df619f4582ada0daa98ff255a5bec3883e8dcc1
Author: Petr Písař <ppisar at redhat.com>
Date:   Mon Jun 3 13:24:45 2013 +0200

    Fix CVE-2012-5572 (cookie name CR-LF injection)

 Dancer-1.3113-CVE-2012-5572-1.patch |   59 +++++++++++++++++++++++++++++++++++
 Dancer-1.3113-CVE-2012-5572-2.patch |   29 +++++++++++++++++
 perl-Dancer.spec                    |   11 ++++++-
 3 files changed, 98 insertions(+), 1 deletions(-)
---
diff --git a/Dancer-1.3113-CVE-2012-5572-1.patch b/Dancer-1.3113-CVE-2012-5572-1.patch
new file mode 100644
index 0000000..23c3628
--- /dev/null
+++ b/Dancer-1.3113-CVE-2012-5572-1.patch
@@ -0,0 +1,59 @@
+From d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2 Mon Sep 17 00:00:00 2001
+From: Colin Keith <colinmkeith at gmail.com>
+Date: Sat, 25 May 2013 00:46:53 -0400
+Subject: [PATCH 1/2] test and resolution for CVE-2012-5572, \r\n sequence
+ being allowed in a cookie name fixes PerlDancer/Dancer#859
+
+---
+ t/12_response/11_CVE-2012-5572.t | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+ create mode 100644 t/12_response/11_CVE-2012-5572.t
+
+diff --git a/t/12_response/11_CVE-2012-5572.t b/t/12_response/11_CVE-2012-5572.t
+new file mode 100644
+index 0000000..2b6eacb
+--- /dev/null
++++ b/t/12_response/11_CVE-2012-5572.t
+@@ -0,0 +1,39 @@
++package main;
++use strict;
++use warnings;
++use Test::More tests => 2, import => ['!pass'];
++
++{
++    use Dancer;
++    get '/CVE-2012-5572-cookie' => sub {
++        cookie "test\r\nX-Evil-Header: " => "evil";
++    };
++}
++
++
++use Dancer::Test;
++{
++    note "Testing CVE-2012-5572 (CRLF in response headers)";
++    my $req = [GET => '/CVE-2012-5572-cookie'];
++    route_exists $req;
++    my $response = Dancer::Test::_req_to_response($req);
++
++    my $CRLF = "\r\n";
++
++    my $tb = Test::Builder->new;
++    my %headers = @{$response->headers_to_array};
++    my $foundCRLF = 0;
++    while (my($name, $value) = each %headers) {
++       index($value, $CRLF) == -1
++         && index($name, $CRLF) == -1
++         && next;
++       $foundCRLF = 1;
++       last;
++    }
++
++    $tb->ok(!$foundCRLF, 'Headers do not contain CRLF (CVE-2012-5572)');
++}
++
++
++1;
++
+-- 
+1.8.1.4
+
diff --git a/Dancer-1.3113-CVE-2012-5572-2.patch b/Dancer-1.3113-CVE-2012-5572-2.patch
new file mode 100644
index 0000000..911f32b
--- /dev/null
+++ b/Dancer-1.3113-CVE-2012-5572-2.patch
@@ -0,0 +1,29 @@
+From 46ef9124f3149f697455061499ac7cee40930349 Mon Sep 17 00:00:00 2001
+From: Colin Keith <colinmkeith at gmail.com>
+Date: Sat, 25 May 2013 22:56:31 -0400
+Subject: [PATCH 2/2] resolution for CVE-2012-5572, \r\n sequence being allowed
+ in a cookie name fixes PerlDancer/Dancer#859
+
+---
+ lib/Dancer/Cookie.pm | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Dancer/Cookie.pm b/lib/Dancer/Cookie.pm
+index efcb1a3..e736ab8 100644
+--- a/lib/Dancer/Cookie.pm
++++ b/lib/Dancer/Cookie.pm
+@@ -29,7 +29,10 @@ sub to_header {
+     my $value       = join('&', map {uri_escape($_)} $self->value);
+     my $no_httponly = defined( $self->http_only ) && $self->http_only == 0;
+ 
+-    my @headers = $self->name . '=' . $value;
++    my $name = $self->name;
++    $name =~ s/[=,; \t\r\n\013\014]//mg;
++
++    my @headers = $name . '=' . $value;
+     push @headers, "path=" . $self->path        if $self->path;
+     push @headers, "expires=" . $self->expires  if $self->expires;
+     push @headers, "domain=" . $self->domain    if $self->domain;
+-- 
+1.8.1.4
+
diff --git a/perl-Dancer.spec b/perl-Dancer.spec
index 1a915dc..6907283 100644
--- a/perl-Dancer.spec
+++ b/perl-Dancer.spec
@@ -1,6 +1,6 @@
 Name:           perl-Dancer
 Version:        1.3100
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Lightweight yet powerful web application framework
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@@ -8,6 +8,10 @@ URL:            http://search.cpan.org/dist/Dancer/
 Source0:        http://www.cpan.org/authors/id/X/XS/XSAWYERX/Dancer-%{version}.tar.gz
 # Bug #960184, GitHub #PerlDancer/Dancer/919
 Patch0:         Dancer-1.3112-Return-non-zero-exit-code-on-bad-application-name.patch
+# Bug #880330, test for CVE-2012-5572, GiHub #PerlDancer/Dancer/859
+Patch1:         Dancer-1.3113-CVE-2012-5572-1.patch
+# Bug #880330, fix for CVE-2012-5572, GiHub #PerlDancer/Dancer/859
+Patch2:         Dancer-1.3113-CVE-2012-5572-2.patch
 BuildArch:      noarch
 BuildRequires:  perl(base)
 BuildRequires:  perl(Carp)
@@ -88,6 +92,8 @@ your code.
 %prep
 %setup -q -n Dancer-%{version}
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -110,6 +116,9 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Mon Jun 03 2013 Petr Pisar <ppisar at redhat.com> - 1.3100-3
+- Fix CVE-2012-5572 (cookie name CR-LF injection) (bug #880330)
+
 * Tue May 07 2013 Petr Pisar <ppisar at redhat.com> - 1.3100-2
 - Return proper exit code on dancer tool failure (bug #960184)

More information about the scm-commits mailing list