CVE-2012-5526 CGI.pm: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers

Debian Bug report logs - #693420
CVE-2012-5526 CGI.pm: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: perl-modules: CVE-2012-5526 perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers

Date: Fri, 16 Nov 2012 10:55:29 +0100

Package: perl-modules
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,
the following vulnerability was published for CGI.pm:

CVE-2012-5526[0]:
libcgi-pm-perl: newline injection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526
    http://security-tracker.debian.org/tracker/CVE-2012-5526
[1] http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
[2] https://github.com/markstos/CGI.pm/pull/23
[3] https://bugzilla.redhat.com/show_bug.cgi?id=877015

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages perl-modules depends on:
ii  libclass-isa-perl  0.36-5
ii  libswitch-perl     2.16-2
ii  perl               5.14.2-15

perl-modules recommends no packages.

Versions of packages perl-modules suggests:
ii  libpod-plainer-perl  1.03-1

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQpg2OAAoJEHidbwV/2GP+fYMP/2mddx22RGDz7XVgwcm0q19i
WC8De0NRSSxso0CMLg0/zuDYwrUPPa6y5pan5Yh8V2Ia0yfHqkbIsRWjZWX8wkN9
woO6EpeKo9pVVB0Va+66xkhhU2fKl41AirixQdsP1KRnBr+T9T+PVtZ2x8qHdxNs
yBZlGhHFcNlxy2alWInS30vqzMBXPpmrfofCLWcleReNO09ESScbR5T68SXC39Pp
T1VhQMZujiB8AkznOAMMf+CeNlQUF6DGL30ScyF/+SirFhoEu5WHfLyYteOAdrnG
Zx4Vjz+pCBAhlupSRBH3ld8ssix5I4o9Fq4I4ZESCeC8MWrVntZatRrnK3myusUW
96p3BTtBfuOFJEE/mdx9S5dP5dtnffIqm99OAYyWmy5175brkUahmGl0fNJTbrzB
fDqFrJrv+y1TakdLbfzLkBhr0GBXTgP/JX+NEYdRgiJwPXuSGMIwPa+CG4TYTDBw
294Iq2fr3L33SVrvaVMGozy5xqaJgzVROtn5jI1PfI2Swk+JZ0uiSL1k704qQDTq
GHLUFLzqfBdoUCiUKv8T1iGQSKswZOPfEx1mAz3gqrGs1TGCi9wEtV/29oDOqLXK
j5Vb7ioGw0ZKNb9tj2Ht1NiZBc1EFxLC/n0OykOUcEF9r9bY4rDo4lVZDzgNcRq0
kvG9UAUALSLns4MB84zr
=bgDd
-----END PGP SIGNATURE-----

Message #12 received at 693420@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: 693420@bugs.debian.org, 693421@bugs.debian.org

Cc: team@security.debian.org

Subject: CVE-2012-5526: perl and libcgi-pm-perl: newline injection

Date: Sun, 18 Nov 2012 12:08:21 +0200

[Message part 1 (text/plain, inline)]

found 693420 5.10.1-17squeeze3
found 693420 5.14.2-15
found 693421 3.49-1squeeze1
found 693421 3.59+dfsg-1
found 693421 3.61-1
tag 693421 patch fixed-upstream
thanks

Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
newline injection in Set-Cookie and P3P headers) affects all of squeeze,
wheezy, and sid.

The attached patch should apply to the wheezy and sid versions; squeeze
may need some backporting at least for the testcases, and the perl package
needs filename modifications due to the different directory structure.

The sid and wheezy versions of libcgi-pm-perl have diverged, so
I suppose this needs to go in wheezy via tpu.

The perl status in wheezy/sid is waiting for #692294; we'll see
if this needs a separate upload.

Security team: do you want DSAs for stable or should this rather be
fixed via SRM/proposed-updates?
-- 
Niko Tyni   ntyni@debian.org

[0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch (text/x-diff, attachment)]

Message #21 received at 693420@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org

Cc: 693421@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection

Date: Sun, 18 Nov 2012 12:31:44 +0000

On Sun, Nov 18, 2012 at 12:08:21PM +0200, Niko Tyni wrote:
> Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
> newline injection in Set-Cookie and P3P headers) affects all of squeeze,
> wheezy, and sid.
> 
> The attached patch should apply to the wheezy and sid versions; squeeze
> may need some backporting at least for the testcases, and the perl package
> needs filename modifications due to the different directory structure.
> 
> The sid and wheezy versions of libcgi-pm-perl have diverged, so
> I suppose this needs to go in wheezy via tpu.

As both bugs are important rather than RC, neither a t-p-u upload
for libcgi-pm-perl nor an upload for perl including this would
qualify for migration to testing under the tightened up freeze policy[1],
so CCing debian-release for opinions from their side.

Cheers,
Dominic.

[1] <http://release.debian.org/wheezy/freeze_policy.html>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #26 received at 693420@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 693421@bugs.debian.org

Cc: Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection

Date: Sat, 24 Nov 2012 08:16:36 +0100

[Message part 1 (text/plain, inline)]

Hi Dominic, Niko, Security-Team and Release-Team

On Sun, Nov 18, 2012 at 12:31:44PM +0000, Dominic Hargreaves wrote:
> On Sun, Nov 18, 2012 at 12:08:21PM +0200, Niko Tyni wrote:
> > Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
> > newline injection in Set-Cookie and P3P headers) affects all of squeeze,
> > wheezy, and sid.
> > 
> > The attached patch should apply to the wheezy and sid versions; squeeze
> > may need some backporting at least for the testcases, and the perl package
> > needs filename modifications due to the different directory structure.
> > 
> > The sid and wheezy versions of libcgi-pm-perl have diverged, so
> > I suppose this needs to go in wheezy via tpu.
> 
> As both bugs are important rather than RC, neither a t-p-u upload
> for libcgi-pm-perl nor an upload for perl including this would
> qualify for migration to testing under the tightened up freeze policy[1],
> so CCing debian-release for opinions from their side.

I just have uploaded libcgi-pm-perl 3.61-2 with only the security
patch. But I agree at this stage it's a no-option to unblock this (too
big diff).

I have attached both debdiff's proposed for Squeeze and for Wheezy.
The debdiff for Squeeze might first be reviewed. Both I'm ready to
push to the Debian Perl Group git repos.

As Dominic correctly stated, with the current freeze policy only an
update would be allowed if we can go trough unstable. Release-Team how
should we proceed here?

Regards,
Salvatore

[libcgi-pm-perl_3.49-1squeeze2.debdiff (text/plain, attachment)]

[libcgi-pm-perl_3.59+dfsg-2.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 693420@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 693421@bugs.debian.org, Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection

Date: Sat, 24 Nov 2012 08:29:04 +0100

[Message part 1 (text/plain, inline)]

Hi

short addition to the mail before which I missed: For a possible t-p-u
upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.

Regards,
Salvatore

[libcgi-pm-perl_3.59+dfsg-1+deb7u1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 693420@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: debian-release@lists.debian.org

Cc: 693421@bugs.debian.org, Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, Dominic Hargreaves <dom@earth.li>

Subject: Re: Bug#693421: Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection

Date: Sat, 24 Nov 2012 17:46:02 +0100

Hi,

Salvatore Bonaccorso wrote (24 Nov 2012 07:29:04 GMT) :
> short addition to the mail before which I missed: For a possible t-p-u
> upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.

TL;DR --> I recommend to accept this unblock request for t-p-u.

I have verified that I could reproduce the security issue on current
Wheezy, that I could not reproduce it after applying this patch, and
that the code still behaves well in the "good" situation (that is when
$CRLF is followed by space) after applying this patch.

The patch looks sane, and I trust Salvatore has correctly
cherry-picked it from upstream.

(BTW, in case someone wants to reproduce these results, one has to
insert a "\r" in the example test case found on the initial report [1]
for this security issue, else one cannot possibly check that the
patched code still behaves well in the "good" situation; resulting
testing code is:

  $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\nbar\r\nbaz", ],    -p3p    => [ "foo\r\nbar\r\nbaz", ],);'

and:

  $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\n bar\r\n baz", ],    -p3p    => [ "foo\r\n bar\r\n baz", ],);'
)



[1] https://github.com/markstos/CGI.pm/pull/23

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Message #41 received at 693420@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: intrigeri <intrigeri@debian.org>, submit@bugs.debian.org

Cc: debian-release@lists.debian.org, 693421@bugs.debian.org, Niko Tyni <ntyni@debian.org>, 693420@bugs.debian.org, team@security.debian.org, Dominic Hargreaves <dom@earth.li>

Subject: tpu: libcgi-pm-perl/3.59+dfsg-1+deb7u1 (pre-approval)

Date: Tue, 27 Nov 2012 08:27:06 +0100

[Message part 1 (text/plain, inline)]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: tpu

Hi

On Sat, Nov 24, 2012 at 05:46:02PM +0100, intrigeri wrote:
> Hi,
> 
> Salvatore Bonaccorso wrote (24 Nov 2012 07:29:04 GMT) :
> > short addition to the mail before which I missed: For a possible t-p-u
> > upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.
> 
> TL;DR --> I recommend to accept this unblock request for t-p-u.
> 
> I have verified that I could reproduce the security issue on current
> Wheezy, that I could not reproduce it after applying this patch, and
> that the code still behaves well in the "good" situation (that is when
> $CRLF is followed by space) after applying this patch.
> 
> The patch looks sane, and I trust Salvatore has correctly
> cherry-picked it from upstream.
> 
> (BTW, in case someone wants to reproduce these results, one has to
> insert a "\r" in the example test case found on the initial report [1]
> for this security issue, else one cannot possibly check that the
> patched code still behaves well in the "good" situation; resulting
> testing code is:
> 
>   $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\nbar\r\nbaz", ],    -p3p    => [ "foo\r\nbar\r\nbaz", ],);'
> 
> and:
> 
>   $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\n bar\r\n baz", ],    -p3p    => [ "foo\r\n bar\r\n baz", ],);'
> )

Thanks for your review. To have this better tracked for the t-p-u part
I'm opening with this a bug against release.d.o.

@ReleaseTeam: This is about #693421 "CVE-2012-5526 CGI.pm: Newline
injection due to improper CRLF escaping in Set-Cookie and P3P
headers".

We could wait for some more testing in unstable for the version there.
The patch for tpu would be the "same" (the package cannot go trough
unstable -> testing).

Salvatore

[libcgi-pm-perl_3.59+dfsg-1+deb7u1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 693420-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 693420-close@bugs.debian.org

Subject: Bug#693420: fixed in perl 5.14.2-16

Date: Mon, 10 Dec 2012 15:05:53 +0000

Source: perl
Source-Version: 5.14.2-16

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Dec 2012 12:47:14 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14 libperl-dev perl
Architecture: source all i386
Version: 5.14.2-16
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.14 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 693420 695223 695224
Changes: 
 perl (5.14.2-16) unstable; urgency=medium
 .
   * [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
     CRLF escaping (Closes: #693420)
   * [SECURITY] Fix misparsing of maketext strings which could allow
     arbitrary code execution from untrusted maketext templates
     (Closes: #695224)
   * [SECURITY] add warning to Storable documentation that Storable
     documents should not be accepted from untrusted sources
     (Closes: #695223)
Checksums-Sha1: 
 c8b7f6a30c413ea4b2e5c896cf1d17b13bafcbe2 1721 perl_5.14.2-16.dsc
 9e8d151dcf329576a4b1a7657e9268dec06d0243 155151 perl_5.14.2-16.debian.tar.gz
 e718582112c701aa54bc551bd46eb852c4644d40 74914 libcgi-fast-perl_5.14.2-16_all.deb
 c8a40a664daeaac9caa70bba041de708d4d4aefc 8166594 perl-doc_5.14.2-16_all.deb
 e9570fa287f148c8f23c186293ad32c240c6b220 3439114 perl-modules_5.14.2-16_all.deb
 60c6d439372d063f69608a27a2a1bed02c01d6d7 1493988 perl-base_5.14.2-16_i386.deb
 00b6946d0b2e1c268255be9da86bbbf18c083c45 9225014 perl-debug_5.14.2-16_i386.deb
 1965addcfa618214b57a71e7ab134c9cd6fcff24 731478 libperl5.14_5.14.2-16_i386.deb
 5bcb88cbcf38056ca23ea6bf045b6e09e15da29a 3054592 libperl-dev_5.14.2-16_i386.deb
 22f7f5b2ed3af5d54aabb2ef2b12b09f6f9a641a 3700978 perl_5.14.2-16_i386.deb
Checksums-Sha256: 
 024b02816fce4888c75c2e4a41c25ea751c01cf40b138c51294fd14a4642cfde 1721 perl_5.14.2-16.dsc
 ddd143e1ea79a706731bd362a421518f53cf1f8c8e7c431f95691787b8ba4117 155151 perl_5.14.2-16.debian.tar.gz
 55eef21650fcdec9fd64a32519da6625cbef8011ef3020b907a2d01b25478085 74914 libcgi-fast-perl_5.14.2-16_all.deb
 f4bc71ed91c741dc16353f4c2ddaaa27bffcc8db64c216eaefe93c56f3dc926d 8166594 perl-doc_5.14.2-16_all.deb
 fdb7a02824aecc27a0616295990cd2fd5661d23997334aafa1d607b03ca07c84 3439114 perl-modules_5.14.2-16_all.deb
 59deffd6f8f982874b684014a37df8abc5311e7a5c1f4aec5642aa4ee05e2f7c 1493988 perl-base_5.14.2-16_i386.deb
 83590a117136029682c5a542d3d48459183f652cace5905cb029ad8f5d56e1a2 9225014 perl-debug_5.14.2-16_i386.deb
 4af5cb0c464a7afc92a83b90d4fe00988b1bfcc3b22bbb9ba6fc54aafbd2fda2 731478 libperl5.14_5.14.2-16_i386.deb
 e0a8860044e28dc0b3c1f1fca6b2b62dc287b67ee5cc8746492f92212d359b80 3054592 libperl-dev_5.14.2-16_i386.deb
 c87257ae8f7221eeb523094bf578ae5fc4673b6af4a88e54ad9e238c5494f9ba 3700978 perl_5.14.2-16_i386.deb
Files: 
 858164359163428bf082fad51e300b7a 1721 perl standard perl_5.14.2-16.dsc
 c5ae3219697cd323db59faa0d5aa53cd 155151 perl standard perl_5.14.2-16.debian.tar.gz
 303efa86279da45a8badeb4fd3e8ae0b 74914 perl optional libcgi-fast-perl_5.14.2-16_all.deb
 ad770d4148849db198b4c857bbcc8340 8166594 doc optional perl-doc_5.14.2-16_all.deb
 b4cfa2c0f754258e07c089bc4bcf18d1 3439114 perl standard perl-modules_5.14.2-16_all.deb
 bba51c64dd09a6e47d9b3f80416eb692 1493988 perl required perl-base_5.14.2-16_i386.deb
 a73a0072a482104c3e59711db2a09f2e 9225014 debug extra perl-debug_5.14.2-16_i386.deb
 043212af3300bc414fddadfcdacbbdcd 731478 libs optional libperl5.14_5.14.2-16_i386.deb
 9681b4d187a5901b74dfc7f1fbf04304 3054592 libdevel optional libperl-dev_5.14.2-16_i386.deb
 7ea94b65ead39491b13e6a3c00a8d492 3700978 perl standard perl_5.14.2-16_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQxeayYzuFKFF44qURAr/PAJ4yAHz2cl1U+O0fZdG2aiPw0qEGHwCaAgB/
jQIpgbLwRp7n3lwotLWi8pw=
=8cNp
-----END PGP SIGNATURE-----

Message #57 received at 693420-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 693420-close@bugs.debian.org

Subject: Bug#693420: fixed in perl 5.10.1-17squeeze4

Date: Thu, 13 Dec 2012 23:47:11 +0000

Source: perl
Source-Version: 5.10.1-17squeeze4

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 11 Dec 2012 14:07:34 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-17squeeze4
Distribution: stable-security
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 689314 693420 695223
Changes: 
 perl (5.10.1-17squeeze4) stable-security; urgency=low
 .
   * [SECURITY] CVE-2012-5195: fix a heap buffer overrun with
     the 'x' string repeat operator. (Closes: #689314)
   * [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
     CRLF escaping (Closes: #693420)
   * [SECURITY] add warning to Storable documentation that Storable
     documents should not be accepted from untrusted sources
     (Closes: #695223)
Checksums-Sha1: 
 859eaf2f93180babbe471fc221ad7cbed6765382 1422 perl_5.10.1-17squeeze4.dsc
 3f9e6297d5b811b9022e4778e00d63895e9c8fdb 121727 perl_5.10.1-17squeeze4.debian.tar.gz
 e909c107d5e95242442cee143f3b4b1486b403f1 53092 libcgi-fast-perl_5.10.1-17squeeze4_all.deb
 f599f67d614f910a8129d93e2c0b378857c4bb87 7187956 perl-doc_5.10.1-17squeeze4_all.deb
 f08efb3de41a41faa33d1c138020d17199200cd4 3490686 perl-modules_5.10.1-17squeeze4_all.deb
 f3a61584d7a7dc399b27345d336bc61cd2ce4c3f 980544 perl-base_5.10.1-17squeeze4_i386.deb
 5ecd9070fecde471241eb02cd23a6240f451fbef 6631116 perl-debug_5.10.1-17squeeze4_i386.deb
 80a05d9e5f5d5ca28d290cb3bca1666cbc38f980 33196 perl-suid_5.10.1-17squeeze4_i386.deb
 7c1ebe62bd63eaace4b7a7440c556f0a3cc701b6 633086 libperl5.10_5.10.1-17squeeze4_i386.deb
 95e7bd5576cbe8a1af5c0defc7b41b4e5d54925e 2344752 libperl-dev_5.10.1-17squeeze4_i386.deb
 504bd42009c01d61a153551192b323e995ceab17 3780108 perl_5.10.1-17squeeze4_i386.deb
Checksums-Sha256: 
 ef099ae048fcee48fe308dc4d4650ba2074a5f90c1a8e9d28d96bfcce317b38f 1422 perl_5.10.1-17squeeze4.dsc
 920a1803db226adec97566a75322fc6f4433aec20e3c43039aa2ab3cf31af80e 121727 perl_5.10.1-17squeeze4.debian.tar.gz
 962489e03a44003922580fa022b08d0b6554a80eb9e45d9c8ebba8940dc2590a 53092 libcgi-fast-perl_5.10.1-17squeeze4_all.deb
 efcd20e8c3193a3813640d3daa2cfde9ae9bdfcce52ccbc32c4787943f58e1c9 7187956 perl-doc_5.10.1-17squeeze4_all.deb
 9ead387c134c01dc9f0d725775feab9baed389168f1a333a0e6364f73052759f 3490686 perl-modules_5.10.1-17squeeze4_all.deb
 e28423172fc523150bb5c49e18f1787f729d5a4032147f42fe367e1e2f3ca02e 980544 perl-base_5.10.1-17squeeze4_i386.deb
 dd38094491bfd651ee5616b9b293ea1d4dbdb6ee745d14f748cca14a372bb379 6631116 perl-debug_5.10.1-17squeeze4_i386.deb
 1147d30dbcc33a882e51706a45bc37fc9b538fc8c57b35d97b32b1c389674284 33196 perl-suid_5.10.1-17squeeze4_i386.deb
 bd795bdaf678276261b97dc61dffc7a61ff20c011db4ad029e005edd816b7d64 633086 libperl5.10_5.10.1-17squeeze4_i386.deb
 47ed2ca6e446abab2510543e372b449ad150f4b992caba9e2cd5997184849ea3 2344752 libperl-dev_5.10.1-17squeeze4_i386.deb
 0d0baf300ba3245754b279307f9170837f02fe14df6b2ca9490954976f610214 3780108 perl_5.10.1-17squeeze4_i386.deb
Files: 
 1814a2f123994932b3e80bf6cd40b4a3 1422 perl standard perl_5.10.1-17squeeze4.dsc
 15d60b4e815aacf4ac0b78abe6d8a707 121727 perl standard perl_5.10.1-17squeeze4.debian.tar.gz
 383f48282b4f667eee14a8d5beceb82d 53092 perl optional libcgi-fast-perl_5.10.1-17squeeze4_all.deb
 2fe68c20002b408dfb5b71edd83e11a0 7187956 doc optional perl-doc_5.10.1-17squeeze4_all.deb
 37a799d9de5accc7c855d7d26a83b441 3490686 perl standard perl-modules_5.10.1-17squeeze4_all.deb
 a77dccb405afd3f0163cb85a8580fc50 980544 perl required perl-base_5.10.1-17squeeze4_i386.deb
 e4bd3eda2a0eab46732e4f626420b46f 6631116 debug extra perl-debug_5.10.1-17squeeze4_i386.deb
 7ce01abf61f476552be095f178c57db8 33196 perl optional perl-suid_5.10.1-17squeeze4_i386.deb
 2eb4e5e556a49a04a5b5bc395634f4b5 633086 libs optional libperl5.10_5.10.1-17squeeze4_i386.deb
 f2a39a143757c6a693e010f70a3fb42c 2344752 libdevel optional libperl-dev_5.10.1-17squeeze4_i386.deb
 b1b0e225809e1e9458aa313e932b555d 3780108 perl standard perl_5.10.1-17squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFQx1qIYzuFKFF44qURApn+AKCZfVcM25yRNryeFhW+CsUDDQBWngCcCoJa
StA9P/+fCayFF1GHmZnzXdw=
=1igm
-----END PGP SIGNATURE-----

Message #62 received at 693420-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 693420-close@bugs.debian.org

Subject: Bug#693420: fixed in perl 5.16.2-2

Date: Sun, 13 Jan 2013 19:18:08 +0000

Source: perl
Source-Version: 5.16.2-2

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Jan 2013 17:54:46 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.16 libperl-dev perl
Architecture: source all i386
Version: 5.16.2-2
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.16 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 688842 689713 693420 695223 695224
Changes: 
 perl (5.16.2-2) experimental; urgency=low
 .
   [ Dominic Hargreaves ]
   * Merge 5.14.2-15 and 5.14.2-16 from unstable
     + [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
       CRLF escaping (Closes: #693420)
     + [SECURITY] Fix misparsing of maketext strings which could allow
       arbitrary code execution from untrusted maketext templates
       (Closes: #695224)
     + [SECURITY] add warning to Storable documentation that Storable
       documents should not be accepted from untrusted sources
       (Closes: #695223)
     + Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent
       is writable. (Closes: #688842)
     + Don't overwrite $Config{lddlflags} or ccdlflags on GNU/kFreeBSD.
       (Closes: #689713)
 .
   [ Niko Tyni ]
   * Minor packaging improvements:
     + present Debian bugs consistently in patchlevel.h.
     + use gzip -n for reproducible results
     + support comments in file lists
     + fix a syntax error in debian/copyright
     + support the '**' notation in file lists for matching subdirectories
Checksums-Sha1: 
 e4b3e06d1e64437fb251538373ce56d7bff93194 1717 perl_5.16.2-2.dsc
 45f4a41b579794e8b80a1e94c04c3090ee78acfd 126313 perl_5.16.2-2.debian.tar.gz
 f35a52639ed1641b92a5ba705aa4600d76d49645 75194 libcgi-fast-perl_5.16.2-2_all.deb
 7ba4b0b01b1a73ac34a6b377426cd2d47513350d 7898372 perl-doc_5.16.2-2_all.deb
 2c77b400b64b97cf66ccde1d45e7766e871221d6 3835664 perl-modules_5.16.2-2_all.deb
 d7103219422b1fd00fe5e9bb1a116fa0fe400944 1528168 perl-base_5.16.2-2_i386.deb
 58c306ced8704bca475d42b883b50b3dcb785ec0 9258256 perl-debug_5.16.2-2_i386.deb
 563b5d8be96f2d20299bef88a3a4bc4eabd9e59c 763060 libperl5.16_5.16.2-2_i386.deb
 113248711a8e9620b5f25100c28d77ef0b480059 3161862 libperl-dev_5.16.2-2_i386.deb
 8b970007af831d53a2aa77b1356ff4cc9b60cb9e 3706428 perl_5.16.2-2_i386.deb
Checksums-Sha256: 
 55afde9c3091207071421a53744b81c066a2287db98deddd25514b4a73cca02a 1717 perl_5.16.2-2.dsc
 b7052be9875eb7180e4935ec478f9b34b3043211f9842ed594bd4a7996a13b6f 126313 perl_5.16.2-2.debian.tar.gz
 b8ee8db139ec16c4fcc67cdbe2d3931225224c2acebade4ba89f5ce23a32feca 75194 libcgi-fast-perl_5.16.2-2_all.deb
 71b36fe06badd80707b3623904b179aed752d08a914eac05c8c73ee88e18de86 7898372 perl-doc_5.16.2-2_all.deb
 495497985add85a5f51f924c6eb5d0bbc4b4352218c0814a70d89f6b1b3cbc55 3835664 perl-modules_5.16.2-2_all.deb
 ebc48a7dd8dd5a8dd4fe42b4f8f597c6a8ea939d9e7b15fad6c3a837dcbae8f3 1528168 perl-base_5.16.2-2_i386.deb
 a17741bcbb0cb6a586e22b74487b8d886aac5a0b9ef2aef6df9d9e63ceae8820 9258256 perl-debug_5.16.2-2_i386.deb
 9966dc497dcdb3dc2c7e8aacf7f5b65548a909eafdcdde1fdeafd58809b74daf 763060 libperl5.16_5.16.2-2_i386.deb
 c263ab4261dd1f1514e328fc16abae37b7951f3bfef311b56ec417dfc91c4275 3161862 libperl-dev_5.16.2-2_i386.deb
 8e25964f99ec08512c682f0f3f06401cb617b9d0a994f79bb20e5f693c6f0337 3706428 perl_5.16.2-2_i386.deb
Files: 
 33b5ad74e6fab2c4a8048c821ba87de6 1717 perl standard perl_5.16.2-2.dsc
 1bf8cb9d8cebb7302c330f750e7de87f 126313 perl standard perl_5.16.2-2.debian.tar.gz
 f83d7d77d4011929ae765f34fba0060c 75194 perl optional libcgi-fast-perl_5.16.2-2_all.deb
 99bd3f331445798becb7d07981b50117 7898372 doc optional perl-doc_5.16.2-2_all.deb
 52ef6739bd98877650e8c16267e845d1 3835664 perl standard perl-modules_5.16.2-2_all.deb
 33b977277351659b21de478f7cf80800 1528168 perl required perl-base_5.16.2-2_i386.deb
 26b38fd30eeaf7020a5117d7114576ff 9258256 debug extra perl-debug_5.16.2-2_i386.deb
 e889ff8cdf2a85328b36c510ea2b24af 763060 libs optional libperl5.16_5.16.2-2_i386.deb
 c9939918766edb19c3d45fc17bdbf0d3 3161862 libdevel optional libperl-dev_5.16.2-2_i386.deb
 78742ae86a9ad452e98db4f6780fb215 3706428 perl standard perl_5.16.2-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQ8wPAYzuFKFF44qURAu9iAKCo9QnWpOhrwPapXNfgxyK4O64FCACfcsSa
wbHqMCIRl4SVYv6sDpSIo8k=
=pe2l
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.