Your message dated Sat, 09 Nov 2013 06:48:36 +0000 with message-id <[email protected]> and subject line Bug#721634: fixed in libhttp-body-perl 1.17-2 has caused the Debian Bug report #721634, regarding libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical security bug to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 721634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libhttp-body-perl Version: 1.11-1 Severity: normal Dear Maintainer, Hello, We discovered a critical bug in HTTP::Body::Multipart >= 1.08. It concerns this point (see changelog) : "Temp files now preserve the suffix of the uploaded file" The following line in HTTP::Body::Multipart is not good: my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{}; It is too much permissive. For example, with the following file name : "2013-06-19 at 11.37.56 PM.png" We can obtain this temp file : "/tmp/k6gvivOIYK.37.56 PM.png" It take everithing after the first dot, even spaces ! Previously, the tempname was always alphanumeric. No special chars. So we could use it directly in commands like: my $info = `identify -format "%m" $filename 2>&1`; With a space, the command become invalid. Worse : we can easily do 'injections'. For example with a filename like: "file. || rm -rf ~ || .png" I recommand the following regexp: my $suffix = $basename =~ /[^.]+(\.[\w]+)$/ ? $1 : q{}; Or, for extension like '.tar.gz': my $suffix = $basename =~ /[^.]+(\.[\w\.]+)$/ ? $1 : q{}; Or better: my $suffix = $basename =~ /[^.]+((?:\.[\w+])+)$/ ? $1 : q{}; Best regards, Jonathan Dolle -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/3 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libhttp-body-perl depends on: ii libpath-class-perl 0.25-1 ii libwww-perl 6.04-1 ii libyaml-perl 0.81-1 ii perl 5.14.2-9 libhttp-body-perl recommends no packages. libhttp-body-perl suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libhttp-body-perl Source-Version: 1.17-2 We believe that the bug you reported is fixed in the latest version of libhttp-body-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated libhttp-body-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 26 Jan 2013 16:05:41 +0100 Source: libhttp-body-perl Binary: libhttp-body-perl Architecture: source all Version: 1.17-2 Distribution: unstable Urgency: high Maintainer: Debian Perl Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Description: libhttp-body-perl - module for processing data from HTTP POST requests Closes: 721634 Changes: libhttp-body-perl (1.17-2) unstable; urgency=high . * Team upload. * Change search.cpan.org based URIs to metacpan.org based URIs * Add CVE-2013-4407.patch patch. CVE-2013-4407: An attacker able to upload files to a service that uses HTTP::Body::Multipart could execute commands on the server. (Closes: #721634) * Bump Standards-Version to 3.9.5 * Wrap and sort fields in debian/control file Checksums-Sha1: 48f02be54dff44fab8637aa750b6dca50f78a014 2374 libhttp-body-perl_1.17-2.dsc ad2ffc2634bd780fce66093a82e7b50f183fb554 4098 libhttp-body-perl_1.17-2.debian.tar.gz 1c724a0715814356ff83a316dfee5425a24f52f4 24918 libhttp-body-perl_1.17-2_all.deb Checksums-Sha256: 7617688e7000f82dbb8caf3f344219caf53495db42270fe32adb742a3f8a4d5f 2374 libhttp-body-perl_1.17-2.dsc 99d7c6de9c915b99ab90ad0261e2b8dc4f801db66aa7c025eb66aaae1947c7ce 4098 libhttp-body-perl_1.17-2.debian.tar.gz 8ad44b4e4b54b892fe6c97f9b1da60be8d778d272e98d5194473bf3e73006293 24918 libhttp-body-perl_1.17-2_all.deb Files: 0dee76304250124c71068c1db7f29dae 2374 perl optional libhttp-body-perl_1.17-2.dsc 66125dfbca6ff793802b013870974b35 4098 perl optional libhttp-body-perl_1.17-2.debian.tar.gz fea7f45f2f6374383ef48f679c823408 24918 perl optional libhttp-body-perl_1.17-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSfdcNAAoJEAVMuPMTQ89EFC0P/RevJMMJqrZ+pAyz7bRHhMtw MTN8pXr4gmlo3fxyVIeALUHN9n7vKl/ZlVaXltP8USIl1vrd9PCFYeRNezbqayHz KAgk6oddp3ECa5rx1v2n8iDwgfS9AebSm9Ng/XuNFcoAhT5wJ2vAsRp6Djy78oJp U7uwUy2i0ri1wBDoOqUVa/afcfMuGnEf1woFDzaVVHitmzU0jTK4/KNpr2ggBKLx s50cvPN61KAn+d74p+6KzXGEgAaO8EpQGJpfWIqoX/aF3cTBF0TEhdaXk/ZDJLDj hQO/gwQXlF0jvRxvFsdCJTiEheKK5H/4/9yfcmpdFKOCpvTQcoJiM2D1qvmQKNBt JomQzycChFZ3bVYlvPiDforLl+62KOMBRd+nEinwRu401u6D51VSNOwIZhq6Mc76 aCDAVtLbo3pFzgzOmQ4hQ8FqMd2NwSocRgfBIWHXOP+j9eELKxd7uvL30hf3SlaV aGeltb3XjLg4TlR/6ussZqUo62AFM3hYpbLqugxFjQQN4qYXKbdimP4qqP9rqD8z t1U7rjw9WSYOjCnBnDdktYWKFQURFXtl/jvRpuyLEFQRPT0t1XyQVK+cFkN6tW/W IW0VQCTpoboLuZvr7vnySxoVRpgYXuDl6geSLMu0l2mUGPgWRsocle/qAj1d69oW 1eYaKt2lJglG4GnftjLw =iJD1 -----END PGP SIGNATURE-----
--- End Message ---
