Bug 11727 - perl-HTTP-Body new security issue CVE-2013-4407
: perl-HTTP-Body new security issue CVE-2013-4407
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574751/
: MGA2TOO has_procedure advisory mga2-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-22 01:05 CET by David Walser
Modified: 2013-11-22 20:29 CET (History)
3 users (show)

See Also:
Source RPM: perl-HTTP-Body-1.170.0-2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-11-22 01:05:28 CET
Debian has issued an advisory today (November 21):
http://lists.debian.org/debian-security-announce/2013/msg00214.html

RedHat has rated this as a high severity issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1005669

A patch was written by a Debian developer, there's a link to the commit here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated perl-HTTP-Body package fixes security vulnerability:

Jonathan Dolle reported a design error in HTTP::Body, a Perl module for
processing data from HTTP POST requests. The HTTP body multipart parser
creates temporary files which preserve the suffix of the uploaded file.
An attacker able to upload files to a service that uses
HTTP::Body::Multipart could potentially execute commands on the server
if these temporary filenames are used in subsequent commands without
further checks (CVE-2013-4407).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4407
http://www.debian.org/security/2013/dsa-2801
========================

Updated packages in core/updates_testing:
========================
perl-HTTP-Body-1.150.0-1.1.mga2
perl-HTTP-Body-1.170.0-2.1.mga3

from SRPMS:
perl-HTTP-Body-1.150.0-1.1.mga2.src.rpm
perl-HTTP-Body-1.170.0-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-11-22 10:55:43 CET
Just checking that the sample script on cpan doesn't cause errors

http://search.cpan.org/~getty/HTTP-Body-1.17/lib/HTTP/Body.pm

It actually does error due to it missing a ; after
$body->param_order towards the end, but when that is fixed..
Comment 2 claire robinson 2013-11-22 11:22:49 CET
Testing complete mga2 32 & 64 and mga3 32 & 64
Comment 3 claire robinson 2013-11-22 11:30:07 CET
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 4 Thomas Backlund 2013-11-22 20:29:47 CET

Update pushed:
http://advisories.mageia.org/MGASA-2013-0352.html

Note You need to log in before you can comment on or make changes to this bug.