Bug 11727 - perl-HTTP-Body new security issue CVE-2013-4407
Summary: perl-HTTP-Body new security issue CVE-2013-4407
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/574751/
Whiteboard: MGA2TOO has_procedure advisory mga2-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-11-22 01:05 CET by David Walser
Modified: 2013-11-22 20:29 CET (History)
3 users (show)

See Also:
Source RPM: perl-HTTP-Body-1.170.0-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-22 01:05:28 CET
Debian has issued an advisory today (November 21):
http://lists.debian.org/debian-security-announce/2013/msg00214.html

RedHat has rated this as a high severity issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1005669

A patch was written by a Debian developer, there's a link to the commit here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated perl-HTTP-Body package fixes security vulnerability:

Jonathan Dolle reported a design error in HTTP::Body, a Perl module for
processing data from HTTP POST requests. The HTTP body multipart parser
creates temporary files which preserve the suffix of the uploaded file.
An attacker able to upload files to a service that uses
HTTP::Body::Multipart could potentially execute commands on the server
if these temporary filenames are used in subsequent commands without
further checks (CVE-2013-4407).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4407
http://www.debian.org/security/2013/dsa-2801
========================

Updated packages in core/updates_testing:
========================
perl-HTTP-Body-1.150.0-1.1.mga2
perl-HTTP-Body-1.170.0-2.1.mga3

from SRPMS:
perl-HTTP-Body-1.150.0-1.1.mga2.src.rpm
perl-HTTP-Body-1.170.0-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-11-22 10:55:43 CET
Just checking that the sample script on cpan doesn't cause errors

http://search.cpan.org/~getty/HTTP-Body-1.17/lib/HTTP/Body.pm

It actually does error due to it missing a ; after
$body->param_order towards the end, but when that is fixed..
Comment 2 claire robinson 2013-11-22 11:22:49 CET
Testing complete mga2 32 & 64 and mga3 32 & 64
Comment 3 claire robinson 2013-11-22 11:30:07 CET
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 4 Thomas Backlund 2013-11-22 20:29:47 CET

Update pushed:
http://advisories.mageia.org/MGASA-2013-0352.html

Note You need to log in before you can comment on or make changes to this bug.