This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch master in repository libcgi-application-perl.
commit 9f5d569466afb762149af792535684f8cdd91fbe Author: Salvatore Bonaccorso <car...@debian.org> Date: Thu Apr 3 21:48:50 2014 +0200 Add CVE-2013-7329.patch patch CVE-2013-7329: In certain cases, CGI::Application would unexpectedly dump a complete set of web query data and server environment information as an error page. This could allow unintended disclosure of sensitive information. Closes: #739505 --- debian/patches/CVE-2013-7329.patch | 133 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 134 insertions(+) diff --git a/debian/patches/CVE-2013-7329.patch b/debian/patches/CVE-2013-7329.patch new file mode 100644 index 0000000..0db5555 --- /dev/null +++ b/debian/patches/CVE-2013-7329.patch @@ -0,0 +1,133 @@ +Description: Fix CVE-2013-7329 + In certain cases, CGI::Application would unexpectedly dump a complete + set of web query data and server environment information as an error + page. This could allow unintended disclosure of sensitive information. +Origin: backport, https://github.com/markstos/CGI--Application/pull/15 +Bug: https://github.com/markstos/CGI--Application/pull/15 +Bug-Debian: http://bugs.debian.org/739505 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1067180 +Forwarded: not-needed +Author: Emmanuel Seyman <emman...@seyman.fr> +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-04-03 + +--- a/lib/CGI/Application.pm ++++ b/lib/CGI/Application.pm +@@ -359,6 +359,27 @@ + } + + ++sub no_runmodes { ++ ++ my $self = shift; ++ my $query = $self->query(); ++ ++ # If no runmodes specified by app return error message ++ my $current_runmode = $self->get_current_runmode(); ++ my $query_params = $query->Dump; ++ ++ my $output = qq{ ++ <h2>Error - No runmodes specified.</h2> ++ <p>Runmode called: $current_runmode"</p> ++ <p>Query paramaters:</p> $query_params ++ <p>Your application has not specified any runmodes.</p> ++ <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli ++ cation/">CGI::Application</a> documentation.</p> ++ }; ++ return $output; ++} ++ ++ + sub header_add { + my $self = shift; + return $self->_header_props_update(\@_,add=>1); +@@ -513,7 +534,7 @@ + my (@data) = (@_); + + # First use? Create new __RUN_MODES! +- $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES})); ++ $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES})); + + my $rr_m = $self->{__RUN_MODES}; + +@@ -1653,7 +1674,8 @@ + The dump_html() method is a debugging function which will return + a chunk of text which contains all the environment and web form + data of the request, formatted nicely for human readability via +-a web browser. Useful for outputting to a browser. ++a web browser. Useful for outputting to a browser. Please consider ++the security implications of using this in production code. + + =head3 error_mode() + +--- a/t/basic.t ++++ b/t/basic.t +@@ -1,6 +1,6 @@ + + use strict; +-use Test::More tests => 110; ++use Test::More tests => 112; + + BEGIN{use_ok('CGI::Application');} + +@@ -28,7 +28,7 @@ + } + + # Instantiate CGI::Application +-# run() CGI::Application object. Expect header + output dump_html() ++# run() CGI::Application object. Expect header + output no_runmodes() + { + my $app = CGI::Application->new(); + isa_ok($app, 'CGI::Application'); +@@ -39,11 +39,29 @@ + response_like( + $app, + qr{^Content-Type: text/html}, +- qr/Query Environment:/, ++ qr/Error - No runmodes specified./, + 'base class response', + ); + } + ++# Instantiate CGI::Application ++# run() CGI::Application sub-class. ++# Expect header + output dump_html() ++{ ++ ++ my $app = TestApp->new(); ++ $app->query(CGI->new({'test_rm' => 'dump_htm'})); ++ ++ response_like( ++ $app, ++ qr{^Content-Type: text/html}, ++ qr/Query Environment:/, ++ 'dump_html class response' ++ ++ ); ++ ++} ++ + # Instantiate CGI::Application sub-class. + # run() CGI::Application sub-class. + # Expect HTTP header + 'Hello World: basic_test'. +--- a/t/lib/TestApp.pm ++++ b/t/lib/TestApp.pm +@@ -27,6 +27,7 @@ + 'header_props_before_header_add' => \&header_props_before_header_add, + 'header_add_after_header_props' => \&header_add_after_header_props, + ++ 'dump_htm' => 'dump_html', + 'dump_txt' => 'dump', + 'eval_test' => 'eval_test', + ); +--- a/t/load_tmpl_hook.t ++++ b/t/load_tmpl_hook.t +@@ -8,7 +8,7 @@ + my $app = CGI::Application->new(); + my $out = $app->run; + +-like($out, qr/start/, "normal app output contains start"); ++like($out, qr/Error - No runmodes specified/, "normal app output contains start"); + unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook"); + + { diff --git a/debian/patches/series b/debian/patches/series index 5299247..3abbdd3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ spelling.patch +CVE-2013-7329.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libcgi-application-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits