'[gentoo-commits] gentoo-x86 commit in dev-perl/HTTP-Body/files: HTTP-Body-1.190.0-CVE-2013-4407.patc'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-commits
Subject:    [gentoo-commits] gentoo-x86 commit in dev-perl/HTTP-Body/files: HTTP-Body-1.190.0-CVE-2013-4407.patc
From:       "Andreas HAttel (dilfridge)" <dilfridge () gentoo ! org>
Date:       2014-11-30 22:20:45
Message-ID: 20141130222045.DBB7EB3EC () oystercatcher ! gentoo ! org
[Download RAW message or body]

dilfridge    14/11/30 22:20:45

  Added:                HTTP-Body-1.190.0-CVE-2013-4407.patch
  Log:
  Version bump; add patch for bug 484310; remove old
  
  (Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key \
EBE6A336BE19039C!)

Revision  Changes    Path
1.1                  dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch?rev=1.1&view=markup
                
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch?rev=1.1&content-type=text/plain


Index: HTTP-Body-1.190.0-CVE-2013-4407.patch
===================================================================
Description: Allow only word characters in filename suffixes
 CVE-2013-4407: Allow only word characters in filename suffixes. An
 attacker able to upload files to a service that uses
 HTTP::Body::Multipart could use this issue to upload a file and create
 a specifically-crafted temporary filename on the server, that when
 processed without further validation, could allow execution of commands
 on the server.
Origin: vendor
Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
Bug-Debian: http://bugs.debian.org/721634
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
Forwarded: no
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-10-21

Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.19

diff -ruN HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm \
                HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm
--- HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm	2013-12-06 16:07:25.000000000 \
                +0100
+++ HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm	2014-11-30 23:17:19.652051615 +0100
@@ -258,8 +258,8 @@
 
 =cut
 
-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
-#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
+#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
+our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
 
 sub handler {
     my ( $self, $part ) = @_;


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic