Bug 11727

Summary: perl-HTTP-Body new security issue CVE-2013-4407
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: jquelin, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/574751/
Whiteboard: MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: perl-HTTP-Body-1.170.0-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-11-22 01:05:28 CET 
Debian has issued an advisory today (November 21):
http://lists.debian.org/debian-security-announce/2013/msg00214.html

RedHat has rated this as a high severity issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1005669

A patch was written by a Debian developer, there's a link to the commit here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated perl-HTTP-Body package fixes security vulnerability:

Jonathan Dolle reported a design error in HTTP::Body, a Perl module for
processing data from HTTP POST requests. The HTTP body multipart parser
creates temporary files which preserve the suffix of the uploaded file.
An attacker able to upload files to a service that uses
HTTP::Body::Multipart could potentially execute commands on the server
if these temporary filenames are used in subsequent commands without
further checks (CVE-2013-4407).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4407
http://www.debian.org/security/2013/dsa-2801
========================

Updated packages in core/updates_testing:
========================
perl-HTTP-Body-1.150.0-1.1.mga2
perl-HTTP-Body-1.170.0-2.1.mga3

from SRPMS:
perl-HTTP-Body-1.150.0-1.1.mga2.src.rpm
perl-HTTP-Body-1.170.0-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-22 01:05:43 CET

CC: (none) => jquelin
Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-11-22 10:55:43 CET 
Just checking that the sample script on cpan doesn't cause errors

http://search.cpan.org/~getty/HTTP-Body-1.17/lib/HTTP/Body.pm

It actually does error due to it missing a ; after
$body->param_order towards the end, but when that is fixed..
claire robinson 2013-11-22 10:56:29 CET

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 2 claire robinson 2013-11-22 11:22:49 CET 
Testing complete mga2 32 & 64 and mga3 32 & 64
Comment 3 claire robinson 2013-11-22 11:30:07 CET 
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

David Walser 2013-11-22 17:11:52 CET

URL: (none) => http://lwn.net/Vulnerabilities/574751/

Comment 4 Thomas Backlund 2013-11-22 20:29:47 CET 

Update pushed:
http://advisories.mageia.org/MGASA-2013-0352.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED