This is an automated email from the git hooks/post-receive script.

ntyni pushed a commit to annotated tag debian/4.48-1+deb8u1
in repository libcgi-session-perl.

commit 010a78c3edc4415f2ee26a1d0b27c0aaf308a231
Author: Niko Tyni <nt...@debian.org>
Date:   Tue Jan 12 23:40:53 2016 +0200

    Untaint raw data coming from session storage backends
    
    This fixes a taint regression caused by CVE-2015-8607 fixes in perl.
    
    Closes: #810799
---
 ...-data-coming-from-session-storage-backend.patch | 77 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 78 insertions(+)

diff --git 
a/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch
 
b/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch
new file mode 100644
index 0000000..f19d4cf
--- /dev/null
+++ 
b/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch
@@ -0,0 +1,77 @@
+From ab199c765329638301105fd1884af14992bb1615 Mon Sep 17 00:00:00 2001
+From: Niko Tyni <nt...@debian.org>
+Date: Tue, 12 Jan 2016 23:40:53 +0200
+Subject: [PATCH] Untaint raw data coming from session storage backends
+
+The various storage backends need to be considered trusted,
+so data coming out of them should be untainted.
+
+The _CLAIMED_ID comes from an HTTP cookie and is probably tainted,
+but presumably it's OK if it matched some data in the storage.
+
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346
+Bug-Debian: https://bugs.debian.org/810799
+---
+ lib/CGI/Session.pm |  4 ++++
+ t/taint_storage.t  | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+)
+ create mode 100644 t/taint_storage.t
+
+diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm
+index 2788b04..6460d4d 100644
+--- a/lib/CGI/Session.pm
++++ b/lib/CGI/Session.pm
+@@ -724,6 +724,10 @@ sub load {
+     # Requested session couldn't be retrieved
+     return $self unless $raw_data;
+ 
++    # untaint; we trust the session backend,
++    # and presumably _CLAIMED_ID too at this point
++    $raw_data =~ /^(.*)$/s and $raw_data = $1;
++
+     my $serializer = $self->_serializer();
+     $self->{_DATA} = $serializer->thaw($raw_data);
+     unless ( defined $self->{_DATA} ) {
+diff --git a/t/taint_storage.t b/t/taint_storage.t
+new file mode 100644
+index 0000000..95f5f1a
+--- /dev/null
++++ b/t/taint_storage.t
+@@ -0,0 +1,34 @@
++#!/usr/bin/perl -T
++
++# https://rt.cpan.org/Public/Bug/Display.html?id=80346
++
++use strict;
++use warnings;
++use CGI::Session;
++use Scalar::Util qw(tainted);
++use Test::More tests => 6;
++
++my $sid;
++
++my $session = CGI::Session->new( "driver:file;serializer:storable", undef, 
{Directory=>'t'});
++ok($session, "new() with file+storable");
++
++$session->param('a', 1 );
++
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after new");
++
++$session->flush;
++$session = CGI::Session->load( "driver:file;serializer:storable", $sid, 
{Directory=>'t'});
++
++ok($session, "load() with file+storable");
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after load");
++
++is($session->param('a'), 1, "parameter stored");
++
++$session->flush;
++
++ok(1, "survived flush");
++
++$session->delete;
+-- 
+2.6.4
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e2cee36
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-Untaint-raw-data-coming-from-session-storage-backend.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-perl/packages/libcgi-session-perl.git

_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits

Reply via email to