Your message dated Thu, 28 Nov 2013 21:49:19 +0000
with message-id <e1vm9sz-0004ii...@franck.debian.org>
and subject line Bug#721634: fixed in libhttp-body-perl 1.11-1+deb7u1
has caused the Debian Bug report #721634,
regarding libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical
security bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
721634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libhttp-body-perl
Version: 1.11-1
Severity: normal
Dear Maintainer,
Hello,
We discovered a critical bug in HTTP::Body::Multipart >= 1.08.
It concerns this point (see changelog) :
"Temp files now preserve the suffix of the uploaded file"
The following line in HTTP::Body::Multipart is not good:
my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
It is too much permissive.
For example, with the following file name :
"2013-06-19 at 11.37.56 PM.png"
We can obtain this temp file :
"/tmp/k6gvivOIYK.37.56 PM.png"
It take everithing after the first dot, even spaces !
Previously, the tempname was always alphanumeric. No special chars. So we could
use it directly in commands like:
my $info = `identify -format "%m" $filename 2>&1`;
With a space, the command become invalid. Worse : we can easily do 'injections'.
For example with a filename like:
"file. || rm -rf ~ || .png"
I recommand the following regexp:
my $suffix = $basename =~ /[^.]+(\.[\w]+)$/ ? $1 : q{};
Or, for extension like '.tar.gz':
my $suffix = $basename =~ /[^.]+(\.[\w\.]+)$/ ? $1 : q{};
Or better:
my $suffix = $basename =~ /[^.]+((?:\.[\w+])+)$/ ? $1 : q{};
Best regards,
Jonathan Dolle
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libhttp-body-perl depends on:
ii libpath-class-perl 0.25-1
ii libwww-perl 6.04-1
ii libyaml-perl 0.81-1
ii perl 5.14.2-9
libhttp-body-perl recommends no packages.
libhttp-body-perl suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libhttp-body-perl
Source-Version: 1.11-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
libhttp-body-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 721...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libhttp-body-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Nov 2013 10:47:51 +0100
Source: libhttp-body-perl
Binary: libhttp-body-perl
Architecture: source all
Version: 1.11-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
libhttp-body-perl - module for manipulating HTTP POST data as an object
Closes: 721634
Changes:
libhttp-body-perl (1.11-1+deb7u1) wheezy-security; urgency=high
.
* Team upload.
* Add CVE-2013-4407.patch patch.
CVE-2013-4407: An attacker able to upload files to a service that uses
HTTP::Body::Multipart could execute commands on the server.
(Closes: #721634)
Checksums-Sha1:
9847f52098df44795af8e5c82758127bf6bedf15 2430
libhttp-body-perl_1.11-1+deb7u1.dsc
0b7b6b669f792bc418a3327c915d59c01aae32b9 3707615
libhttp-body-perl_1.11.orig.tar.gz
d1d60aee3e8e8dc22086f4f5d69afff0e44c73f7 4901
libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
64bd907a0b59e8cb1f8c90c5884f94204d0d8ba3 27138
libhttp-body-perl_1.11-1+deb7u1_all.deb
Checksums-Sha256:
2b9d2cd0b864d20f60fed96403296f4402880ffbdfab40d96bdb9334e421ae13 2430
libhttp-body-perl_1.11-1+deb7u1.dsc
6047fdacaa2fb0b0627f7a4cbed4a8181165322a2706e38cadccd592eb2a25c1 3707615
libhttp-body-perl_1.11.orig.tar.gz
b32456df8d1b293825311bc04c73aeb94df42ed23d1b88e54d2cff4b2fce766b 4901
libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
041e179ab51c4082483be0cf557587bf6bbaf9b5577d2c01696539e0de60bd8b 27138
libhttp-body-perl_1.11-1+deb7u1_all.deb
Files:
609a2602668584d84357606f5b3b1b77 2430 perl optional
libhttp-body-perl_1.11-1+deb7u1.dsc
c425c9a179dfac73891dee8cad556825 3707615 perl optional
libhttp-body-perl_1.11.orig.tar.gz
06b820d7f15ab86ae9ff89f9f582a336 4901 perl optional
libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
21663f88f7fe829ea52f2f440b2646d5 27138 perl optional
libhttp-body-perl_1.11-1+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSi4QPAAoJEAVMuPMTQ89Eh50P/jq/Sex5Kze/ex4NJdAGUV9y
9+1GvTWg+gYyDVGUrKascNHTxYInqA4pvPTlu3B2CfscxAH1H9k/FIkgbQfyOJtj
WuOVwkay/vr4id+q5M1EljALf7kSnDV8Q7c88tFGzTfrVlMxIZi9Fqs5PWZNTQJ9
fbKx9BdMwRpAbzNzVEeZSOWRgGJQk2OrlJGBvBWaKoq3WroioUuJ/WaagOLeLkv+
mekJe8k5AwdCx3HTavv/bXPmj/2ktO3ahBWDbAA/HCsoGGJ1T66OQDBgC8QqVbty
Ovks/XqKJKPsZWwPqUUS+gvfE9DSiQmeL5416MzBYxjzlJCjTJTRRRt89vDgq00Q
kuOWjga7BJkxkzL/C1BBJY7cCLheUrbPzQ0aD3Oe+3oG4uh3CC3v3DvplV13oEHm
02IIF1vDf0jrvpqkRonrPn1oBom6bzr73DZetPHDrEA8/8xvvMhLseuo0UTlUOcD
Obl6ahwiPIcnmjaCcqekQzwPASF6e+yLcy/xIxyDSCUzi4AZ0gwb7s58bvNl/Dod
QkoYP/4dUnbnoWtzvVMW1uwWJba7+siQ7InNhNCiZUd8PXZMxWtiqb1ktpOQfpJQ
qxr2zx3//7GBWGH5kYp+fN1IPTvKbYm2E++7XER/GcIbv+hqVe46mhb7tbHAB1Zj
k/SB54jCufTUSVLagnHd
=SGts
-----END PGP SIGNATURE-----
--- End Message ---
