[gentoo-commits] repo/gentoo:master commit in: dev-perl/HTTP-Body/, dev-perl/HTTP-Body/files/

Wed, 01 May 2024 19:11:10 -0700 

commit:     0401373b18f97cad54dc4df9f9e5b131aee0aa76
Author:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Thu May  2 02:10:10 2024 +0000
Commit:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Thu May  2 02:10:48 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0401373b

dev-perl/HTTP-Body: add 1.230.0

Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>

 dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild        | 43 ++++++++++++++++++++++
 dev-perl/HTTP-Body/Manifest                        |  1 +
 .../files/HTTP-Body-1.230.0-CVE-2013-4407.patch    | 33 +++++++++++++++++
 3 files changed, 77 insertions(+)

diff --git a/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild 
b/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild
new file mode 100644
index 000000000000..4e35d76d651b
--- /dev/null
+++ b/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild
@@ -0,0 +1,43 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DIST_AUTHOR=GETTY
+DIST_VERSION=1.23
+inherit perl-module
+
+DESCRIPTION="HTTP Body Parser"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+
+# HTTP::Headers -> HTTP-Message
+# HTTP::Request::Common -> HTTP-Message
+# IO::File -> IO
+RDEPEND="
+       virtual/perl-Carp
+       virtual/perl-Digest-MD5
+       >=virtual/perl-File-Temp-0.140.0
+       dev-perl/HTTP-Message
+       >=virtual/perl-IO-1.140.0
+"
+BDEPEND="${RDEPEND}
+       virtual/perl-ExtUtils-MakeMaker
+       test? (
+               virtual/perl-Encode
+               virtual/perl-File-Spec
+               >=virtual/perl-File-Temp-0.140.0
+               dev-perl/HTTP-Message
+               dev-perl/Test-Deep
+               >=virtual/perl-Test-Simple-0.860.0
+       )
+"
+
+PERL_RM_FILES=(
+       t/02pod.t
+       t/03podcoverage.t
+       t/04critic.t
+)
+
+PATCHES=( "${FILESDIR}/${PN}-1.230.0-CVE-2013-4407.patch" )

diff --git a/dev-perl/HTTP-Body/Manifest b/dev-perl/HTTP-Body/Manifest
index d2a831ea78f3..381c6924aeb3 100644
--- a/dev-perl/HTTP-Body/Manifest
+++ b/dev-perl/HTTP-Body/Manifest
@@ -1 +1,2 @@
 DIST HTTP-Body-1.22.tar.gz 26163 BLAKE2B 
c6b2cf67fd9964fe253251dd91a67b11563c3cb157ad670733254acb3d44fcede97dcfb84d09ed52bc9f8cc60275838abd8f110aa01aed3bb18400bcc108b255
 SHA512 
62665989d76699a3c3747d8f4e23d2009488bc229220bcf6fc07fc425e6ac5118f6ea48c75af681c2f29e9ed644d7a7979368cc36df77aca0544786b523c9cfe
+DIST HTTP-Body-1.23.tar.gz 26980 BLAKE2B 
2ad08b894a26a06089dff6294f978583d49ee5aa770fb195d01fc6db7a39bda0cb831ed5137afabbc75598e2dbe3fb8dd0681f688776270d01f99498abb17c23
 SHA512 
b02fb8652ceebdaa858ff12fe759ded62eefa7f23e5bf8b90e31a52d4433f13d29986f9646141b92a6a4ea58e1be007c6f675c3e2b26559fa0ff9333e69f3ebb

diff --git a/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch 
b/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch
new file mode 100644
index 000000000000..e4046ec3fec3
--- /dev/null
+++ b/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch
@@ -0,0 +1,33 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <[email protected]>
+Last-Update: 2013-10-21
+
+Updated by Andreas K. Huettel <[email protected]> for HTTP-Body-1.19
+Updated by Andreas K. Huettel <[email protected]> for HTTP-Body-1.23
+ This version has a fix for the CVE, but the stricter regexp has served
+ us well so far...
+
+diff -ruN HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm 
HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm
+--- HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm     2024-03-30 
14:27:57.000000000 +1100
++++ HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm  2024-05-02 13:07:21.794271606 
+1100
+@@ -255,7 +255,7 @@
+ 
+ =cut
+ 
+-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
++our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
+ our $file_temp_suffix = '.upload';
+ our $file_temp_template;
+ our %file_temp_parameters;
+

Reply via email to