Bug 443446 (CVE-2012-5526)

Summary:	<perl-core/CGI-3.630.0: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers (CVE-2012-5526)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	perl
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=877015
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2012-11-15 18:36:12 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=877015 :

A security flaw was found in the way CGI.pm, a Perl module to handle Common Gateway Interface 
requests and responses, performed sanitization of values to be used for Set-Cookie and P3P headers. 
If a Perl CGI.pm module based CGI application reused cookies values and accepted untrusted input 
from web browser(s), a remote attacker could use this flaw to in an unauthorized way alter member 
items of the cookie or add new items.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-11-30 01:27:01 UTC

CVE-2012-5526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5526):
  CGI.pm module before 3.63 for Perl does not properly escape newlines in (1)
  Set-Cookie or (2) P3P headers, which might allow remote attackers to inject
  arbitrary headers into responses from applications that use CGI.pm.

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2013-08-29 17:13:47 UTC

GLSA vote: no. @maintainers: clean up, please.

Comment 3 Mikle Kolyada (RETIRED) archtester

2013-08-29 18:38:11 UTC

(In reply to Chris Reffett from comment #2)
> @maintainers: clean up, please.

Done.

Comment 4 Sergey Popov gentoo-dev

2013-08-30 11:10:26 UTC

GLSA vote: no

Closing as noglsa