[libhttp-body-perl] 01/04: Add CVE-2013-4407.patch patch

Salvatore Bonaccorso carnil at debian.org
Sat Nov 9 06:34:23 UTC 2013 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository libhttp-body-perl.

commit f4fb68d039e89c62065bc70b1c5ed8e35f297196
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Mon Oct 21 15:47:02 2013 +0200

    Add CVE-2013-4407.patch patch
    
    CVE-2013-4407: An attacker able to upload files to a service that uses
    HTTP::Body::Multipart could execute commands on the server.
    
    Closes: #721634
---
 debian/patches/CVE-2013-4407.patch |   26 ++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 27 insertions(+)

diff --git a/debian/patches/CVE-2013-4407.patch b/debian/patches/CVE-2013-4407.patch
new file mode 100644
index 0000000..5071bac
--- /dev/null
+++ b/debian/patches/CVE-2013-4407.patch
@@ -0,0 +1,26 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2013-10-21
+
+--- a/lib/HTTP/Body/MultiPart.pm
++++ b/lib/HTTP/Body/MultiPart.pm
+@@ -275,7 +275,7 @@
+ 
+             if ( $filename ne "" ) {
+                 my $basename = (File::Spec->splitpath($filename))[2];
+-                my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
++                my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{};
+ 
+                 my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix );
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..0624ccb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2013-4407.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libhttp-body-perl.git

More information about the Pkg-perl-cvs-commits mailing list