main/perl-http-body: upgrade to 1.17 and fix CVE-2013-4407

ref #2456

1 files changed, 26 insertions, 0 deletions

diff --git a/main/perl-http-body/CVE-2013-4407.patch b/main/perl-http-body/CVE-2013-4407.patch
new file mode 100644
index 000000000..5071bac31
--- /dev/null
+++ b/main/perl-http-body/CVE-2013-4407.patch
@@ -0,0 +1,26 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-10-21
+
+--- a/lib/HTTP/Body/MultiPart.pm
++++ b/lib/HTTP/Body/MultiPart.pm
+@@ -275,7 +275,7 @@
+ 
+             if ( $filename ne "" ) {
+                 my $basename = (File::Spec->splitpath($filename))[2];
+-                my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
++                my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{};
+ 
+                 my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix );
+