aboutsummaryrefslogtreecommitdiffstats
path: root/main/perl-http-body
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-12-03 14:28:50 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-12-03 14:39:36 +0000
commit213ebd008f5f44ea962bebeb139ec959c8c5ce4d (patch)
tree585189e25b3fc8fbd51caf4b25af88a21a2cad57 /main/perl-http-body
parentadc79e42efe943ea505ff76d79f3fbbd03d615c6 (diff)
downloadaports-213ebd008f5f44ea962bebeb139ec959c8c5ce4d.tar.bz2
aports-213ebd008f5f44ea962bebeb139ec959c8c5ce4d.tar.xz
main/perl-http-body: upgrade to 1.17 and fix CVE-2013-4407
ref #2456
Diffstat (limited to 'main/perl-http-body')
-rw-r--r--main/perl-http-body/APKBUILD13
-rw-r--r--main/perl-http-body/CVE-2013-4407.patch26
2 files changed, 36 insertions, 3 deletions
diff --git a/main/perl-http-body/APKBUILD b/main/perl-http-body/APKBUILD
index cabfbabe5d..8310d57afc 100644
--- a/main/perl-http-body/APKBUILD
+++ b/main/perl-http-body/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=perl-http-body
-pkgver=1.15
+pkgver=1.17
pkgrel=0
pkgdesc="HTTP::Body perl module"
url="http://search.cpan.org/dist/HTTP-Body/"
@@ -11,7 +11,9 @@ depends="perl perl-http-message perl-uri"
makedepends="perl-dev perl-test-deep"
install=""
subpackages="$pkgname-doc"
-source="http://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-$pkgver.tar.gz"
+source="http://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-$pkgver.tar.gz
+ CVE-2013-4407.patch
+ "
_builddir="$srcdir"/HTTP-Body-$pkgver
prepare() {
@@ -36,4 +38,9 @@ package() {
find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
}
-md5sums="cccf0211c15a9fed67c68c826c5efeaf HTTP-Body-1.15.tar.gz"
+md5sums="3c14ccc3af652aa5297b9fc87d263b3b HTTP-Body-1.17.tar.gz
+8e5a8675955e2bb7a23579be4df6558d CVE-2013-4407.patch"
+sha256sums="131cdae4a4c8ee1b2b17c90db30c534d3f87f3a89c3133e3a0aab1f058fbe690 HTTP-Body-1.17.tar.gz
+5bacbbeda2c4297188f2fdfb03ee7d00785452bb72fac8ac0e8bd5e3575c7061 CVE-2013-4407.patch"
+sha512sums="978ed98929bd7a829f97a1f9adb847f2fc7cf84428c7356d19a5747dfd7679702754869cbf819882e4580aa72af037d0a40b2e5f91e18baf5497068d2f857eae HTTP-Body-1.17.tar.gz
+f6a53949bdb592e9cf10771f3b38b538ac8aeacaddbb7f4f71528147ae2c16ff27a1b191210ec3df3592ad5377beaef4db988ae5eb7a003f4aea558c02995d69 CVE-2013-4407.patch"
diff --git a/main/perl-http-body/CVE-2013-4407.patch b/main/perl-http-body/CVE-2013-4407.patch
new file mode 100644
index 0000000000..5071bac31a
--- /dev/null
+++ b/main/perl-http-body/CVE-2013-4407.patch
@@ -0,0 +1,26 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-10-21
+
+--- a/lib/HTTP/Body/MultiPart.pm
++++ b/lib/HTTP/Body/MultiPart.pm
+@@ -275,7 +275,7 @@
+
+ if ( $filename ne "" ) {
+ my $basename = (File::Spec->splitpath($filename))[2];
+- my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
++ my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{};
+
+ my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix );
+