Your message dated Thu, 28 Nov 2013 21:49:19 +0000 with message-id <[email protected]> and subject line Bug#721634: fixed in libhttp-body-perl 1.11-1+deb7u1 has caused the Debian Bug report #721634, regarding libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical security bug to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 721634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libhttp-body-perl Version: 1.11-1 Severity: normal Dear Maintainer, Hello, We discovered a critical bug in HTTP::Body::Multipart >= 1.08. It concerns this point (see changelog) : "Temp files now preserve the suffix of the uploaded file" The following line in HTTP::Body::Multipart is not good: my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{}; It is too much permissive. For example, with the following file name : "2013-06-19 at 11.37.56 PM.png" We can obtain this temp file : "/tmp/k6gvivOIYK.37.56 PM.png" It take everithing after the first dot, even spaces ! Previously, the tempname was always alphanumeric. No special chars. So we could use it directly in commands like: my $info = `identify -format "%m" $filename 2>&1`; With a space, the command become invalid. Worse : we can easily do 'injections'. For example with a filename like: "file. || rm -rf ~ || .png" I recommand the following regexp: my $suffix = $basename =~ /[^.]+(\.[\w]+)$/ ? $1 : q{}; Or, for extension like '.tar.gz': my $suffix = $basename =~ /[^.]+(\.[\w\.]+)$/ ? $1 : q{}; Or better: my $suffix = $basename =~ /[^.]+((?:\.[\w+])+)$/ ? $1 : q{}; Best regards, Jonathan Dolle -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/3 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libhttp-body-perl depends on: ii libpath-class-perl 0.25-1 ii libwww-perl 6.04-1 ii libyaml-perl 0.81-1 ii perl 5.14.2-9 libhttp-body-perl recommends no packages. libhttp-body-perl suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libhttp-body-perl Source-Version: 1.11-1+deb7u1 We believe that the bug you reported is fixed in the latest version of libhttp-body-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated libhttp-body-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 Nov 2013 10:47:51 +0100 Source: libhttp-body-perl Binary: libhttp-body-perl Architecture: source all Version: 1.11-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Perl Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Description: libhttp-body-perl - module for manipulating HTTP POST data as an object Closes: 721634 Changes: libhttp-body-perl (1.11-1+deb7u1) wheezy-security; urgency=high . * Team upload. * Add CVE-2013-4407.patch patch. CVE-2013-4407: An attacker able to upload files to a service that uses HTTP::Body::Multipart could execute commands on the server. (Closes: #721634) Checksums-Sha1: 9847f52098df44795af8e5c82758127bf6bedf15 2430 libhttp-body-perl_1.11-1+deb7u1.dsc 0b7b6b669f792bc418a3327c915d59c01aae32b9 3707615 libhttp-body-perl_1.11.orig.tar.gz d1d60aee3e8e8dc22086f4f5d69afff0e44c73f7 4901 libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz 64bd907a0b59e8cb1f8c90c5884f94204d0d8ba3 27138 libhttp-body-perl_1.11-1+deb7u1_all.deb Checksums-Sha256: 2b9d2cd0b864d20f60fed96403296f4402880ffbdfab40d96bdb9334e421ae13 2430 libhttp-body-perl_1.11-1+deb7u1.dsc 6047fdacaa2fb0b0627f7a4cbed4a8181165322a2706e38cadccd592eb2a25c1 3707615 libhttp-body-perl_1.11.orig.tar.gz b32456df8d1b293825311bc04c73aeb94df42ed23d1b88e54d2cff4b2fce766b 4901 libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz 041e179ab51c4082483be0cf557587bf6bbaf9b5577d2c01696539e0de60bd8b 27138 libhttp-body-perl_1.11-1+deb7u1_all.deb Files: 609a2602668584d84357606f5b3b1b77 2430 perl optional libhttp-body-perl_1.11-1+deb7u1.dsc c425c9a179dfac73891dee8cad556825 3707615 perl optional libhttp-body-perl_1.11.orig.tar.gz 06b820d7f15ab86ae9ff89f9f582a336 4901 perl optional libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz 21663f88f7fe829ea52f2f440b2646d5 27138 perl optional libhttp-body-perl_1.11-1+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSi4QPAAoJEAVMuPMTQ89Eh50P/jq/Sex5Kze/ex4NJdAGUV9y 9+1GvTWg+gYyDVGUrKascNHTxYInqA4pvPTlu3B2CfscxAH1H9k/FIkgbQfyOJtj WuOVwkay/vr4id+q5M1EljALf7kSnDV8Q7c88tFGzTfrVlMxIZi9Fqs5PWZNTQJ9 fbKx9BdMwRpAbzNzVEeZSOWRgGJQk2OrlJGBvBWaKoq3WroioUuJ/WaagOLeLkv+ mekJe8k5AwdCx3HTavv/bXPmj/2ktO3ahBWDbAA/HCsoGGJ1T66OQDBgC8QqVbty Ovks/XqKJKPsZWwPqUUS+gvfE9DSiQmeL5416MzBYxjzlJCjTJTRRRt89vDgq00Q kuOWjga7BJkxkzL/C1BBJY7cCLheUrbPzQ0aD3Oe+3oG4uh3CC3v3DvplV13oEHm 02IIF1vDf0jrvpqkRonrPn1oBom6bzr73DZetPHDrEA8/8xvvMhLseuo0UTlUOcD Obl6ahwiPIcnmjaCcqekQzwPASF6e+yLcy/xIxyDSCUzi4AZ0gwb7s58bvNl/Dod QkoYP/4dUnbnoWtzvVMW1uwWJba7+siQ7InNhNCiZUd8PXZMxWtiqb1ktpOQfpJQ qxr2zx3//7GBWGH5kYp+fN1IPTvKbYm2E++7XER/GcIbv+hqVe46mhb7tbHAB1Zj k/SB54jCufTUSVLagnHd =SGts -----END PGP SIGNATURE-----
--- End Message ---
