Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 443446 (CVE-2012-5526) - <perl-core/CGI-3.630.0: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers (CVE-2012-5526)
Summary: <perl-core/CGI-3.630.0: Newline injection due to improper CRLF escaping in Se...
Status: RESOLVED FIXED
Alias: CVE-2012-5526
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-15 18:36 UTC by Agostino Sarubbo
Modified: 2013-08-30 11:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-15 18:36:12 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=877015 :

A security flaw was found in the way CGI.pm, a Perl module to handle Common Gateway Interface 
requests and responses, performed sanitization of values to be used for Set-Cookie and P3P headers. 
If a Perl CGI.pm module based CGI application reused cookies values and accepted untrusted input 
from web browser(s), a remote attacker could use this flaw to in an unauthorized way alter member 
items of the cookie or add new items.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-30 01:27:01 UTC 
CVE-2012-5526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5526):
  CGI.pm module before 3.63 for Perl does not properly escape newlines in (1)
  Set-Cookie or (2) P3P headers, which might allow remote attackers to inject
  arbitrary headers into responses from applications that use CGI.pm.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 17:13:47 UTC 
GLSA vote: no. @maintainers: clean up, please.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-29 18:38:11 UTC 
(In reply to Chris Reffett from comment #2)
> @maintainers: clean up, please.

Done.
Comment 4 Sergey Popov gentoo-dev 2013-08-30 11:10:26 UTC 
GLSA vote: no

Closing as noglsa