Bug 11727 - perl-HTTP-Body new security issue CVE-2013-4407
Summary: perl-HTTP-Body new security issue CVE-2013-4407
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/574751/
Whiteboard: MGA2TOO has_procedure advisory mga2-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-11-22 01:05 CET by David Walser
Modified: 2013-11-22 20:29 CET (History)
3 users (show)

See Also:
Source RPM: perl-HTTP-Body-1.170.0-2.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-11-22 01:05:28 CET 
Debian has issued an advisory today (November 21):
http://lists.debian.org/debian-security-announce/2013/msg00214.html

RedHat has rated this as a high severity issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1005669

A patch was written by a Debian developer, there's a link to the commit here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated perl-HTTP-Body package fixes security vulnerability:

Jonathan Dolle reported a design error in HTTP::Body, a Perl module for
processing data from HTTP POST requests. The HTTP body multipart parser
creates temporary files which preserve the suffix of the uploaded file.
An attacker able to upload files to a service that uses
HTTP::Body::Multipart could potentially execute commands on the server
if these temporary filenames are used in subsequent commands without
further checks (CVE-2013-4407).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4407
http://www.debian.org/security/2013/dsa-2801
========================

Updated packages in core/updates_testing:
========================
perl-HTTP-Body-1.150.0-1.1.mga2
perl-HTTP-Body-1.170.0-2.1.mga3

from SRPMS:
perl-HTTP-Body-1.150.0-1.1.mga2.src.rpm
perl-HTTP-Body-1.170.0-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-22 01:05:43 CET

CC: (none) => jquelin
Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-11-22 10:55:43 CET 
Just checking that the sample script on cpan doesn't cause errors

http://search.cpan.org/~getty/HTTP-Body-1.17/lib/HTTP/Body.pm

It actually does error due to it missing a ; after
$body->param_order towards the end, but when that is fixed..
claire robinson 2013-11-22 10:56:29 CET

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 2 claire robinson 2013-11-22 11:22:49 CET 
Testing complete mga2 32 & 64 and mga3 32 & 64
Comment 3 claire robinson 2013-11-22 11:30:07 CET 
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

David Walser 2013-11-22 17:11:52 CET

URL: (none) => http://lwn.net/Vulnerabilities/574751/

Comment 4 Thomas Backlund 2013-11-22 20:29:47 CET 

Update pushed:
http://advisories.mageia.org/MGASA-2013-0352.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.