Hi, Salvatore Bonaccorso wrote (24 Nov 2012 07:29:04 GMT) : > short addition to the mail before which I missed: For a possible t-p-u > upload I should choose 3.59+dfsg-1+deb7u1. Attached corrected debdiff.
TL;DR --> I recommend to accept this unblock request for t-p-u. I have verified that I could reproduce the security issue on current Wheezy, that I could not reproduce it after applying this patch, and that the code still behaves well in the "good" situation (that is when $CRLF is followed by space) after applying this patch. The patch looks sane, and I trust Salvatore has correctly cherry-picked it from upstream. (BTW, in case someone wants to reproduce these results, one has to insert a "\r" in the example test case found on the initial report [1] for this security issue, else one cannot possibly check that the patched code still behaves well in the "good" situation; resulting testing code is: $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\nbar\r\nbaz", ], -p3p => [ "foo\r\nbar\r\nbaz", ],);' and: $ perl -Ilib -E 'use CGI qw/header/; print header( -cookie => [ "foo\r\n bar\r\n baz", ], -p3p => [ "foo\r\n bar\r\n baz", ],);' ) [1] https://github.com/markstos/CGI.pm/pull/23 Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85a9u72blh....@boum.org
