This is an automated email from the git hooks/post-receive script. ntyni pushed a commit to branch master in repository libcgi-session-perl.
commit b143dde5277ba40f8d8e6863c3627916fafc77be Author: Niko Tyni <nt...@debian.org> Date: Tue Jan 12 23:40:53 2016 +0200 Untaint raw data coming from session storage backends This fixes a taint regression caused by CVE-2015-8607 fixes in perl. Closes: #810799 --- ...-data-coming-from-session-storage-backend.patch | 77 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 78 insertions(+) diff --git a/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch b/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch new file mode 100644 index 0000000..f19d4cf --- /dev/null +++ b/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch @@ -0,0 +1,77 @@ +From ab199c765329638301105fd1884af14992bb1615 Mon Sep 17 00:00:00 2001 +From: Niko Tyni <nt...@debian.org> +Date: Tue, 12 Jan 2016 23:40:53 +0200 +Subject: [PATCH] Untaint raw data coming from session storage backends + +The various storage backends need to be considered trusted, +so data coming out of them should be untainted. + +The _CLAIMED_ID comes from an HTTP cookie and is probably tainted, +but presumably it's OK if it matched some data in the storage. + +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346 +Bug-Debian: https://bugs.debian.org/810799 +--- + lib/CGI/Session.pm | 4 ++++ + t/taint_storage.t | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 38 insertions(+) + create mode 100644 t/taint_storage.t + +diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm +index 2788b04..6460d4d 100644 +--- a/lib/CGI/Session.pm ++++ b/lib/CGI/Session.pm +@@ -724,6 +724,10 @@ sub load { + # Requested session couldn't be retrieved + return $self unless $raw_data; + ++ # untaint; we trust the session backend, ++ # and presumably _CLAIMED_ID too at this point ++ $raw_data =~ /^(.*)$/s and $raw_data = $1; ++ + my $serializer = $self->_serializer(); + $self->{_DATA} = $serializer->thaw($raw_data); + unless ( defined $self->{_DATA} ) { +diff --git a/t/taint_storage.t b/t/taint_storage.t +new file mode 100644 +index 0000000..95f5f1a +--- /dev/null ++++ b/t/taint_storage.t +@@ -0,0 +1,34 @@ ++#!/usr/bin/perl -T ++ ++# https://rt.cpan.org/Public/Bug/Display.html?id=80346 ++ ++use strict; ++use warnings; ++use CGI::Session; ++use Scalar::Util qw(tainted); ++use Test::More tests => 6; ++ ++my $sid; ++ ++my $session = CGI::Session->new( "driver:file;serializer:storable", undef, {Directory=>'t'}); ++ok($session, "new() with file+storable"); ++ ++$session->param('a', 1 ); ++ ++$sid = $session->id; ++ok(!tainted $sid, "sid not tainted after new"); ++ ++$session->flush; ++$session = CGI::Session->load( "driver:file;serializer:storable", $sid, {Directory=>'t'}); ++ ++ok($session, "load() with file+storable"); ++$sid = $session->id; ++ok(!tainted $sid, "sid not tainted after load"); ++ ++is($session->param('a'), 1, "parameter stored"); ++ ++$session->flush; ++ ++ok(1, "survived flush"); ++ ++$session->delete; +-- +2.6.4 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..e2cee36 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001-Untaint-raw-data-coming-from-session-storage-backend.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libcgi-session-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits