Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
Hi, I just saw by chance that there is an open security issue in libwww-perl that affects stable [1]. There is two-line upstream patch to address this [2] which also applies to the version in Lenny. I have prepared an update, see the attached debdiff. Regards, Ansgar [1] <http://security-tracker.debian.org/tracker/CVE-2010-2253> [2] <http://github.com/gisle/libwww-perl/commit/f97f339f552666ef79cdd2cf2a44032cf206bb6e>
diff -u libwww-perl-5.813/debian/changelog libwww-perl-5.813/debian/changelog --- libwww-perl-5.813/debian/changelog +++ libwww-perl-5.813/debian/changelog @@ -1,8 +1,16 @@ +libwww-perl (5.813-1+lenny2) stable; urgency=low + + * CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to + filenames suggested by the server that start with a . (dot) character. + commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e + + -- Ansgar Burchardt <[email protected]> Mon, 30 Aug 2010 01:29:12 +0900 + libwww-perl (5.813-1+lenny1) stable; urgency=low * Fix incorrect use of redo. (Closes: #591462) - -- Ansgar Burchardt <[email protected]> Wed, 04 Aug 2010 02:52:22 +0900 + -- Ansgar Burchardt <[email protected]> Sat, 07 Aug 2010 08:20:19 +0900 libwww-perl (5.813-1) unstable; urgency=low only in patch2: unchanged: --- libwww-perl-5.813.orig/bin/lwp-download +++ libwww-perl-5.813/bin/lwp-download @@ -138,7 +138,9 @@ # validate that we don't have a harmful filename now. The server # might try to trick us into doing something bad. if (!length($file) || - $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge) + $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge || + $file =~ /^\./ + ) { die "Will not save <$url> as \"$file\".\nPlease override file name on the command line.\n"; }
