dilfridge 14/11/30 22:20:45 Added: HTTP-Body-1.190.0-CVE-2013-4407.patch Log: Version bump; add patch for bug 484310; remove old (Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key EBE6A336BE19039C!)
Revision Changes Path 1.1 dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch?rev=1.1&content-type=text/plain Index: HTTP-Body-1.190.0-CVE-2013-4407.patch =================================================================== Description: Allow only word characters in filename suffixes CVE-2013-4407: Allow only word characters in filename suffixes. An attacker able to upload files to a service that uses HTTP::Body::Multipart could use this issue to upload a file and create a specifically-crafted temporary filename on the server, that when processed without further validation, could allow execution of commands on the server. Origin: vendor Bug: https://rt.cpan.org/Ticket/Display.html?id=88342 Bug-Debian: http://bugs.debian.org/721634 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669 Forwarded: no Author: Salvatore Bonaccorso <[email protected]> Last-Update: 2013-10-21 Updated by Andreas K. Huettel <[email protected]> for HTTP-Body-1.19 diff -ruN HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm --- HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm 2013-12-06 16:07:25.000000000 +0100 +++ HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm 2014-11-30 23:17:19.652051615 +0100 @@ -258,8 +258,8 @@ =cut -our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; -#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; +#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; +our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; sub handler { my ( $self, $part ) = @_;
