On Wed, 14 Dec 2011 22:46:27 +0000, Jonathan Wiltshire wrote: > Recently you fixed one or more security problems and as a result you closed > this bug. These problems were not serious enough for a Debian Security > Advisory, so they are now on my radar for fixing in the following suites > through point releases: > > squeeze (6.0.4) - use target "stable"
Thanks for the reminder! > Please prepare a minimal-changes upload targetting each of these suites, > and submit a debdiff to the Release Team [0] for consideration. They will > offer additional guidance or instruct you to upload your package. Attached. (I hope switching to source format 3.0 is ok; it seems less invasive than adding quilt stuff manually and less ugly than directly patching the source.) Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key ID: 0x8649AA06 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe `- NP: Andrew Lloyd Webber & Tim Rice
diff -Nru libdata-formvalidator-perl-4.66/debian/changelog libdata-formvalidator-perl-4.66/debian/changelog --- libdata-formvalidator-perl-4.66/debian/changelog 2011-12-15 21:11:53.000000000 +0100 +++ libdata-formvalidator-perl-4.66/debian/changelog 2011-12-15 21:07:14.000000000 +0100 @@ -1,3 +1,16 @@ +libdata-formvalidator-perl (4.66-1+squeeze1) UNRELEASED; urgency=low + + [ Damyan Ivanov ] + * add a patch fixing a possible passing of invalid data in untaint mode + Closes: #629511 + This is CVE-2011-2201. + + [ gregor herrmann ] + * Switch to "3.0 (quilt)" source format so that the patch actually gets + applied. + + -- gregor herrmann <gre...@debian.org> Thu, 15 Dec 2011 20:55:49 +0100 + libdata-formvalidator-perl (4.66-1) unstable; urgency=low [ Jonathan Yu ] diff -Nru libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch --- libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch 1970-01-01 01:00:00.000000000 +0100 +++ libdata-formvalidator-perl-4.66/debian/patches/fix-re-when-untainting.patch 2011-12-15 21:07:14.000000000 +0100 @@ -0,0 +1,20 @@ +Description: Fix a matching check leading to passing (and mangling) invalid data + $match would be '' when $val doesn't match $re and '' is still defined... +Origin: vendor +Bug: https://rt.cpan.org/Ticket/Display.html?id=61792 +Bug-Debian: http://bugs.debian.org/629511 +Forwarded: yes +Author: Damyan Ivanov <d...@debian.org> +Last-Update: 2011-06-07 + +--- a/lib/Data/FormValidator/Results.pm ++++ b/lib/Data/FormValidator/Results.pm +@@ -807,7 +807,7 @@ sub _create_sub_from_RE { + # With methods, the value is the second argument + my $val = $force_method_p ? $_[1] : $_[0]; + my ($match) = scalar ($val =~ $re); +- if ($untaint_this && defined $match) { ++ if ($untaint_this && $match) { + # pass the value through a RE that matches anything to untaint it. + my ($untainted) = ($& =~ m/(.*)/s); + return $untainted; diff -Nru libdata-formvalidator-perl-4.66/debian/patches/series libdata-formvalidator-perl-4.66/debian/patches/series --- libdata-formvalidator-perl-4.66/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libdata-formvalidator-perl-4.66/debian/patches/series 2011-12-15 21:07:14.000000000 +0100 @@ -0,0 +1 @@ +fix-re-when-untainting.patch diff -Nru libdata-formvalidator-perl-4.66/debian/source/format libdata-formvalidator-perl-4.66/debian/source/format --- libdata-formvalidator-perl-4.66/debian/source/format 1970-01-01 01:00:00.000000000 +0100 +++ libdata-formvalidator-perl-4.66/debian/source/format 2011-12-15 21:07:14.000000000 +0100 @@ -0,0 +1 @@ +3.0 (quilt)
signature.asc
Description: Digital signature
