http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735

RHSA-2013:0685

51457

55314

DSA-2586

[oss-security] 20121115 Re: CVE Request -- perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

56562

1027780

USN-1643-1

perl-cgipm-header-injection(80098)

https://github.com/markstos/CGI.pm/pull/23

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Do not extend allowable epoch values in     Time::Local::timelocal to remove useless warning on     64-bit platforms (Resolves: rhbz#1149375)

  - Fix perl segfaults with custom signal handle (Resolves:
    rhbz#991854)

  - Reorder AnyDBM_File back-end preference (Resolves:
    rhbz#1018721)

  - Fix backslash interpolation in Locale::Maketext     (Resolves: rhbz#1029016)

  - Enable year 2038 for Time::Local on 64-bit platforms     (Resolves: rhbz#1057047)

  - 800340 - strftime memory leak perl bug (RT#73520)

  - Resolves: rhbz#800340

  - Fix CVE-2012-5195 heap buffer overrun at repeatcpy     (Resolves: rhbz#915691)

  - Fix CVE-2012-5526 newline injection due to improper CRLF     escaping in Set-Cookie and P3P headers (Resolves:
    rhbz#915691)

  - Fix CVE-2012-6329 possible arbitrary code execution via     Locale::Maketext (Resolves: rhbz#915691)

  - Fix CVE-2013-1667 DoS in rehashing code (Resolves:
    rhbz#915691)

  - 848156 - Reverts code of perl-5.8.8-U32019.patch

  - Resolves: rhbz#848156

CVE-2012-5195 Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2012-5526 CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.

CVE-2012-6329 The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.

CVE-2013-1667 The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

The remote Solaris system is missing necessary patches to address security updates :

  - Race condition in the rmtree function in the File::Path     module in Perl 5.6.1 and 5.8.4 sets read/write     permissions for the world, which allows local users to     delete arbitrary files and directories, and possibly     read files and directories, via a symlink attack.
    (CVE-2004-0452)

  - Buffer overflow in the PerlIO implementation in Perl     5.8.0, when installed with setuid support (sperl),     allows local users to execute arbitrary code by setting     the PERLIO_DEBUG variable and executing a Perl script     whose full pathname contains a long directory tree.
    (CVE-2005-0156)

  - Race condition in the rmtree function in File::Path.pm     in Perl before 5.8.4 allows local users to create     arbitrary setuid binaries in the tree being deleted, a     different vulnerability than CVE-2004-0452.
    (CVE-2005-0448)

  - Untrusted search path vulnerability in Perl before     5.8.7-r1 on Gentoo Linux allows local users in the     portage group to gain privileges via a malicious shared     object in the Portage temporary build directory, which     is part of the RUNPATH. (CVE-2005-4278)

  - Integer overflow in the regular expression engine in     Perl 5.8.x allows context-dependent attackers to cause a     denial of service (stack consumption and application     crash) by matching a crafted regular expression against     a long string. (CVE-2010-1158)

  - Off-by-one error in the decode_xs function in     Unicode/Unicode.xs in the Encode module before 2.44, as     used in Perl before 5.15.6, might allow     context-dependent attackers to cause a denial of service     (memory corruption) via a crafted Unicode string, which     triggers a heap-based buffer overflow. (CVE-2011-2939)

  - CGI.pm module before 3.63 for Perl does not properly     escape newlines in (1) Set-Cookie or (2) P3P headers,     which might allow remote attackers to inject arbitrary     headers into responses from applications that use     CGI.pm. (CVE-2012-5526)

The remote Solaris system is missing necessary patches to address security updates :

  - Heap-based buffer overflow in the Perl_repeatcpy     function in util.c in Perl 5.12.x before 5.12.5, 5.14.x     before 5.14.3, and 5.15.x before 15.15.5 allows     context-dependent attackers to cause a denial of service     (memory consumption and crash) or possibly execute     arbitrary code via the 'x' string repeat operator.
    (CVE-2012-5195)

  - CGI.pm module before 3.63 for Perl does not properly     escape newlines in (1) Set-Cookie or (2) P3P headers,     which might allow remote attackers to inject arbitrary     headers into responses from applications that use     CGI.pm. (CVE-2012-5526)

  - The _compile function in Maketext.pm in the     Locale::Maketext implementation in Perl before 5.17.7     does not properly handle backslashes and fully qualified     method names during compilation of bracket notation,     which allows context-dependent attackers to execute     arbitrary commands via crafted input to an application     that accepts translation strings from users, as     demonstrated by the TWiki application before 5.1.3, and     the Foswiki application 1.0.x through 1.0.10 and 1.1.x     through 1.1.6. (CVE-2012-6329)

Perl was updated to fix 3 security issues :

  - fix rehash denial of service (compute time) [bnc#804415]     [CVE-2013-1667]

  - improve CGI crlf escaping [bnc#789994] [CVE-2012-5526]

  - sanitize input in Maketext.pm to avoid code injection     [bnc#797060] [CVE-2012-6329]

In openSUSE 12.1 also the following non-security bug was fixed :

  - fix IPC::Open3 bug when '-' is used [bnc#755278]

A heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5195)

A denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption.
(CVE-2013-1667)

It was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items. (CVE-2012-5526)

It was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates.
(CVE-2012-6329)

From Red Hat Security Advisory 2013:0685 :

Updated perl packages that fix multiple security issues now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Perl is a high-level programming language commonly used for system administration utilities and web programming.

A heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5195)

A denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption.
(CVE-2013-1667)

It was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items. (CVE-2012-5526)

It was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates.
(CVE-2012-6329)

Red Hat would like to thank the Perl project for reporting CVE-2012-5195 and CVE-2013-1667. Upstream acknowledges Tim Brown as the original reporter of CVE-2012-5195 and Yves Orton as the original reporter of CVE-2013-1667.

All Perl users should upgrade to these updated packages, which contain backported patches to correct these issues. All running Perl programs must be restarted for this update to take effect.

A heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5195)

A denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption.
(CVE-2013-1667)

It was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items. (CVE-2012-5526)

It was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates.
(CVE-2012-6329)

All running Perl programs must be restarted for this update to take effect.

Updated perl packages that fix multiple security issues now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Perl is a high-level programming language commonly used for system administration utilities and web programming.

A heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5195)

A denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption.
(CVE-2013-1667)

It was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items. (CVE-2012-5526)

It was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates.
(CVE-2012-6329)

Red Hat would like to thank the Perl project for reporting CVE-2012-5195 and CVE-2013-1667. Upstream acknowledges Tim Brown as the original reporter of CVE-2012-5195 and Yves Orton as the original reporter of CVE-2013-1667.

All Perl users should upgrade to these updated packages, which contain backported patches to correct these issues. All running Perl programs must be restarted for this update to take effect.

This update of Perl 5 fixes the following security issues :

  - fix rehash DoS [bnc#804415] [CVE-2013-1667]

  - improve CGI crlf escaping [bnc#789994] [CVE-2012-5526]

  - fix glob denial of service [bnc#796014] [CVE-2011-2728]

  - sanitize input in Maketext.pm [bnc#797060]     [CVE-2012-6329]

  - make getgrent work with long group entries [bnc#788388]

This update of Perl 5 fixes the following security issues :

  - fix rehash DoS [bnc#804415] [CVE-2013-1667]

  - improve CGI crlf escaping [bnc#789994] [CVE-2012-5526]

  - fix glob denial of service [bnc#796014] [CVE-2011-2728]

  - sanitize input in Maketext.pm [bnc#797060]     [CVE-2012-6329]

A vulnerability was discovered and corrected in perl-CGI :

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm (CVE-2012-5526).

The updated packages have been patched to correct this issue.

Fix CVE-2012-5526 (escape new-lines in Set-Cookie and P3P HTTP response headers properly) in CGI-3.52.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the CGI module for Perl does not filter LF characters in the Set-Cookie and P3P headers, potentially allowing attackers to inject HTTP headers.

Two vulnerabilities were discovered in the implementation of the Perl programming language :

  - CVE-2012-5195     The 'x' operator could cause the Perl interpreter to     crash if very long strings were created.

  - CVE-2012-5526     The CGI module does not properly escape LF characters in     the Set-Cookie and P3P headers.

In addition, this update adds a warning to the Storable documentation that this package is not suitable for deserializing untrusted data.

Fix CVE-2012-5526 (escape new-lines in Set-Cookie and P3P HTTP response headers properly) in CGI-3.59.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the decode_xs function in the Encode module is vulnerable to a heap-based buffer overflow via a crafted Unicode string. An attacker could use this overflow to cause a denial of service. (CVE-2011-2939)

It was discovered that the 'new' constructor in the Digest module is vulnerable to an eval injection. An attacker could use this to execute arbitrary code. (CVE-2011-3597)

It was discovered that Perl's 'x' string repeat operator is vulnerable to a heap-based buffer overflow. An attacker could use this to execute arbitrary code. (CVE-2012-5195)

Ryo Anazawa discovered that the CGI.pm module does not properly escape newlines in Set-Cookie or P3P (Platform for Privacy Preferences Project) headers. An attacker could use this to inject arbitrary headers into responses from applications that use CGI.pm.
(CVE-2012-5526).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fix CVE-2012-5526 (escape new-lines in Set-Cookie and P3P HTTP response headers properly).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
91752	OracleVM 3.2 : perl (OVMSA-2016-0076)	Nessus	OracleVM Local Security Checks	high
85945	F5 Networks BIG-IP : Perl vulnerabilities (K15867)	Nessus	F5 Networks Local Security Checks	high
80731	Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_5526_configuration_vulnerability1)	Nessus	Solaris Local Security Checks	high
80727	Oracle Solaris Third-Party Patch Update : perl-512 (cve_2012_5195_heap_buffer)	Nessus	Solaris Local Security Checks	high
74932	openSUSE Security Update : perl (openSUSE-SU-2013:0497-1)	Nessus	SuSE Local Security Checks	high
69736	Amazon Linux AMI : perl (ALAS-2013-177)	Nessus	Amazon Linux Local Security Checks	high
68797	Oracle Linux 5 / 6 : perl (ELSA-2013-0685)	Nessus	Oracle Linux Local Security Checks	high
65715	Scientific Linux Security Update : perl on SL5.x, SL6.x i386/x86_64 (20130326)	Nessus	Scientific Linux Local Security Checks	high
65698	RHEL 5 / 6 : perl (RHSA-2013:0685)	Nessus	Red Hat Local Security Checks	high
65694	CentOS 5 / 6 : perl (CESA-2013:0685)	Nessus	CentOS Local Security Checks	high
65249	SuSE 10 Security Update : Perl (ZYPP Patch Number 8479)	Nessus	SuSE Local Security Checks	high
65247	SuSE 11.2 Security Update : Perl (SAT Patch Number 7439)	Nessus	SuSE Local Security Checks	high
63284	Mandriva Linux Security Advisory : perl-CGI (MDVSA-2012:180)	Nessus	Mandriva Local Security Checks	medium
63282	Fedora 16 : perl-5.14.3-203.fc16 / perl-CGI-3.52-203.fc16 (2012-18330)	Nessus	Fedora Local Security Checks	medium
63271	Debian DSA-2587-1 : libcgi-pm-perl - HTTP header injection	Nessus	Debian Local Security Checks	medium
63270	Debian DSA-2586-1 : perl - several vulnerabilities	Nessus	Debian Local Security Checks	high
63248	Fedora 17 : perl-5.14.3-218.fc17 / perl-CGI-3.52-218.fc17 (2012-19282)	Nessus	Fedora Local Security Checks	medium
63235	Fedora 18 : perl-5.16.2-235.fc18 / perl-CGI-3.59-235.fc18 (2012-19125)	Nessus	Fedora Local Security Checks	medium
63109	Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : perl vulnerabilities (USN-1643-1)	Nessus	Ubuntu Local Security Checks	high
63081	Fedora 17 : perl-CGI-3.51-7.fc17 (2012-18318)	Nessus	Fedora Local Security Checks	medium
63043	Fedora 18 : perl-CGI-3.51-10.fc18 (2012-18362)	Nessus	Fedora Local Security Checks	medium

CVE-2012-5526

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins