SA-2003.039-perl; CAN-2003-0615

perl/perl.patch

@@ -144,3 +144,35 @@ area is.
  
  if (chdir "lib") {
      $do_installarchlib = ! samepath($installarchlib, '.');
+ 
+-----------------------------------------------------------------------------
+
+http://stein.cshl.org/WWW/software/CGI/
+    under "Revision History" find "Fixed cross-site scripting bug
+    reported by obscure" note attached to Version 2.94. A quick fix was
+    introduced in 2.94. It was replaced by a more careful patch in 2.99.
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
+    Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
+    allows remote attackers to insert web script via a URL that is fed
+    into the form's action parameter
+
+This is a backport of the 2.99 patch for 2.81 which is the version
+embedded with perl 5.8.0
+
+--- lib/CGI.pm.orig	2003-09-15 14:09:34.000000000 +0200
++++ lib/CGI.pm	2003-09-15 14:16:26.000000000 +0200
+@@ -1533,8 +1533,11 @@
+     $enctype = $enctype || &URL_ENCODED;
+     unless (defined $action) {
+        $action = $self->url(-absolute=>1,-path=>1);
+-       $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING};
++       if (length($ENV{QUERY_STRING})>0) {
++           $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
++       }
+     }
++    $action = escape($action);
+     $action = qq(action="$action");
+     my($other) = @other ? " @other" : '';
+     $self->{'.parametersToAdd'}={};
+

perl/perl.spec

@@ -33,7 +33,7 @@ Distribution: OpenPKG [CORE]
 Group:        Language
 License:      GPL/Artistic
 Version:      5.8.0
-Release:      20030903
+Release:      20030915
 
 #   list of sources
 Source0:      ftp://ftp.cpan.org/pub/CPAN/src/perl-%{version}.tar.gz