Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
alpine
aports
Commits
213ebd00
Commit
213ebd00
authored
Dec 03, 2013
by
Natanael Copa
Browse files
main/perl-http-body: upgrade to 1.17 and fix CVE-2013-4407
ref
#2456
parent
adc79e42
Changes
2
Hide whitespace changes
Inline
Side-by-side
main/perl-http-body/APKBUILD
View file @
213ebd00
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname
=
perl-http-body
pkgver
=
1.1
5
pkgver
=
1.1
7
pkgrel
=
0
pkgdesc
=
"HTTP::Body perl module"
url
=
"http://search.cpan.org/dist/HTTP-Body/"
...
...
@@ -11,7 +11,9 @@ depends="perl perl-http-message perl-uri"
makedepends
=
"perl-dev perl-test-deep"
install
=
""
subpackages
=
"
$pkgname
-doc"
source
=
"http://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-
$pkgver
.tar.gz"
source
=
"http://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-
$pkgver
.tar.gz
CVE-2013-4407.patch
"
_builddir
=
"
$srcdir
"
/HTTP-Body-
$pkgver
prepare
()
{
...
...
@@ -36,4 +38,9 @@ package() {
find
"
$pkgdir
"
\(
-name
perllocal.pod
-o
-name
.packlist
\)
-delete
}
md5sums
=
"cccf0211c15a9fed67c68c826c5efeaf HTTP-Body-1.15.tar.gz"
md5sums
=
"3c14ccc3af652aa5297b9fc87d263b3b HTTP-Body-1.17.tar.gz
8e5a8675955e2bb7a23579be4df6558d CVE-2013-4407.patch"
sha256sums
=
"131cdae4a4c8ee1b2b17c90db30c534d3f87f3a89c3133e3a0aab1f058fbe690 HTTP-Body-1.17.tar.gz
5bacbbeda2c4297188f2fdfb03ee7d00785452bb72fac8ac0e8bd5e3575c7061 CVE-2013-4407.patch"
sha512sums
=
"978ed98929bd7a829f97a1f9adb847f2fc7cf84428c7356d19a5747dfd7679702754869cbf819882e4580aa72af037d0a40b2e5f91e18baf5497068d2f857eae HTTP-Body-1.17.tar.gz
f6a53949bdb592e9cf10771f3b38b538ac8aeacaddbb7f4f71528147ae2c16ff27a1b191210ec3df3592ad5377beaef4db988ae5eb7a003f4aea558c02995d69 CVE-2013-4407.patch"
main/perl-http-body/CVE-2013-4407.patch
0 → 100644
View file @
213ebd00
Description: Allow only word characters in filename suffixes
CVE-2013-4407: Allow only word characters in filename suffixes. An
attacker able to upload files to a service that uses
HTTP::Body::Multipart could use this issue to upload a file and create
a specifically-crafted temporary filename on the server, that when
processed without further validation, could allow execution of commands
on the server.
Origin: vendor
Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
Bug-Debian: http://bugs.debian.org/721634
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
Forwarded: no
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-10-21
--- a/lib/HTTP/Body/MultiPart.pm
+++ b/lib/HTTP/Body/MultiPart.pm
@@ -275,7 +275,7 @@
if ( $filename ne "" ) {
my $basename = (File::Spec->splitpath($filename))[2];
- my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
+ my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{};
my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix );
Alexander Belous
@belousa
mentioned in issue
#2456 (closed)
·
Jul 12, 2019
mentioned in issue
#2456 (closed)
mentioned in issue #2456
Toggle commit list
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment