Debian Bug report logs -
#721634
libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical security bug
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jonathan.dolle@groupsquad.com, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl.
(Mon, 02 Sep 2013 15:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
New Bug report received and forwarded. Copy sent to jonathan.dolle@groupsquad.com, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 02 Sep 2013 15:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libhttp-body-perl
Version: 1.11-1
Severity: normal
Dear Maintainer,
Hello,
We discovered a critical bug in HTTP::Body::Multipart >= 1.08.
It concerns this point (see changelog) :
"Temp files now preserve the suffix of the uploaded file"
The following line in HTTP::Body::Multipart is not good:
my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
It is too much permissive.
For example, with the following file name :
"2013-06-19 at 11.37.56 PM.png"
We can obtain this temp file :
"/tmp/k6gvivOIYK.37.56 PM.png"
It take everithing after the first dot, even spaces !
Previously, the tempname was always alphanumeric. No special chars. So we could use it directly in commands like:
my $info = `identify -format "%m" $filename 2>&1`;
With a space, the command become invalid. Worse : we can easily do 'injections'.
For example with a filename like:
"file. || rm -rf ~ || .png"
I recommand the following regexp:
my $suffix = $basename =~ /[^.]+(\.[\w]+)$/ ? $1 : q{};
Or, for extension like '.tar.gz':
my $suffix = $basename =~ /[^.]+(\.[\w\.]+)$/ ? $1 : q{};
Or better:
my $suffix = $basename =~ /[^.]+((?:\.[\w+])+)$/ ? $1 : q{};
Best regards,
Jonathan Dolle
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libhttp-body-perl depends on:
ii libpath-class-perl 0.25-1
ii libwww-perl 6.04-1
ii libyaml-perl 0.81-1
ii perl 5.14.2-9
libhttp-body-perl recommends no packages.
libhttp-body-perl suggests no packages.
-- no debconf information
Severity set to 'grave' from 'normal'
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 07 Sep 2013 16:21:05 GMT) (full text, mbox, link).
Added tag(s) upstream and security.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 07 Sep 2013 16:21:06 GMT) (full text, mbox, link).
Changed Bug title to 'libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical security bug' from 'libhttp-body-perl: HTTP::Body::Multipart critical security bug'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 08 Oct 2013 11:24:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl.
(Mon, 21 Oct 2013 18:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 21 Oct 2013 18:18:04 GMT) (full text, mbox, link).
Message #18 received at 721634@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi
I'm proposing the attached patch, but I want to hear back first from
upstream to not diverge to much from there.
Regards,
Salvatore
[CVE-2013-4407.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 721634-submit@bugs.debian.org.
(Mon, 21 Oct 2013 18:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl.
(Sat, 09 Nov 2013 06:39:04 GMT) (full text, mbox, link).
Message #23 received at 721634@bugs.debian.org (full text, mbox, reply):
tag 721634 + pending
thanks
Some bugs in the libhttp-body-perl package are closed in revision
f4fb68d039e89c62065bc70b1c5ed8e35f297196 in branch 'master' by
Salvatore Bonaccorso
The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libhttp-body-perl.git;a=commitdiff;h=f4fb68d
Commit message:
Add CVE-2013-4407.patch patch
CVE-2013-4407: An attacker able to upload files to a service that uses
HTTP::Body::Multipart could execute commands on the server.
Closes: #721634
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sat, 09 Nov 2013 06:39:10 GMT) (full text, mbox, link).
Message sent on
to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug#721634.
(Sat, 09 Nov 2013 06:39:19 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 09 Nov 2013 06:51:08 GMT) (full text, mbox, link).
Notification sent
to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug acknowledged by developer.
(Sat, 09 Nov 2013 06:51:08 GMT) (full text, mbox, link).
Message #33 received at 721634-close@bugs.debian.org (full text, mbox, reply):
Source: libhttp-body-perl
Source-Version: 1.17-2
We believe that the bug you reported is fixed in the latest version of
libhttp-body-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 721634@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libhttp-body-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 26 Jan 2013 16:05:41 +0100
Source: libhttp-body-perl
Binary: libhttp-body-perl
Architecture: source all
Version: 1.17-2
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libhttp-body-perl - module for processing data from HTTP POST requests
Closes: 721634
Changes:
libhttp-body-perl (1.17-2) unstable; urgency=high
.
* Team upload.
* Change search.cpan.org based URIs to metacpan.org based URIs
* Add CVE-2013-4407.patch patch.
CVE-2013-4407: An attacker able to upload files to a service that uses
HTTP::Body::Multipart could execute commands on the server.
(Closes: #721634)
* Bump Standards-Version to 3.9.5
* Wrap and sort fields in debian/control file
Checksums-Sha1:
48f02be54dff44fab8637aa750b6dca50f78a014 2374 libhttp-body-perl_1.17-2.dsc
ad2ffc2634bd780fce66093a82e7b50f183fb554 4098 libhttp-body-perl_1.17-2.debian.tar.gz
1c724a0715814356ff83a316dfee5425a24f52f4 24918 libhttp-body-perl_1.17-2_all.deb
Checksums-Sha256:
7617688e7000f82dbb8caf3f344219caf53495db42270fe32adb742a3f8a4d5f 2374 libhttp-body-perl_1.17-2.dsc
99d7c6de9c915b99ab90ad0261e2b8dc4f801db66aa7c025eb66aaae1947c7ce 4098 libhttp-body-perl_1.17-2.debian.tar.gz
8ad44b4e4b54b892fe6c97f9b1da60be8d778d272e98d5194473bf3e73006293 24918 libhttp-body-perl_1.17-2_all.deb
Files:
0dee76304250124c71068c1db7f29dae 2374 perl optional libhttp-body-perl_1.17-2.dsc
66125dfbca6ff793802b013870974b35 4098 perl optional libhttp-body-perl_1.17-2.debian.tar.gz
fea7f45f2f6374383ef48f679c823408 24918 perl optional libhttp-body-perl_1.17-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSfdcNAAoJEAVMuPMTQ89EFC0P/RevJMMJqrZ+pAyz7bRHhMtw
MTN8pXr4gmlo3fxyVIeALUHN9n7vKl/ZlVaXltP8USIl1vrd9PCFYeRNezbqayHz
KAgk6oddp3ECa5rx1v2n8iDwgfS9AebSm9Ng/XuNFcoAhT5wJ2vAsRp6Djy78oJp
U7uwUy2i0ri1wBDoOqUVa/afcfMuGnEf1woFDzaVVHitmzU0jTK4/KNpr2ggBKLx
s50cvPN61KAn+d74p+6KzXGEgAaO8EpQGJpfWIqoX/aF3cTBF0TEhdaXk/ZDJLDj
hQO/gwQXlF0jvRxvFsdCJTiEheKK5H/4/9yfcmpdFKOCpvTQcoJiM2D1qvmQKNBt
JomQzycChFZ3bVYlvPiDforLl+62KOMBRd+nEinwRu401u6D51VSNOwIZhq6Mc76
aCDAVtLbo3pFzgzOmQ4hQ8FqMd2NwSocRgfBIWHXOP+j9eELKxd7uvL30hf3SlaV
aGeltb3XjLg4TlR/6ussZqUo62AFM3hYpbLqugxFjQQN4qYXKbdimP4qqP9rqD8z
t1U7rjw9WSYOjCnBnDdktYWKFQURFXtl/jvRpuyLEFQRPT0t1XyQVK+cFkN6tW/W
IW0VQCTpoboLuZvr7vnySxoVRpgYXuDl6geSLMu0l2mUGPgWRsocle/qAj1d69oW
1eYaKt2lJglG4GnftjLw
=iJD1
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl.
(Thu, 21 Nov 2013 20:42:04 GMT) (full text, mbox, link).
Message #36 received at 721634@bugs.debian.org (full text, mbox, reply):
tag 721634 + pending
thanks
Some bugs in the libhttp-body-perl package are closed in revision
75688c8dcd9cbed094821096e69dcd4f56918024 in branch ' wheezy' by
Salvatore Bonaccorso
The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libhttp-body-perl.git;a=commitdiff;h=75688c8
Commit message:
Add CVE-2013-4407.patch patch
CVE-2013-4407: An attacker able to upload files to a service that uses
HTTP::Body::Multipart could execute commands on the server.
Closes: #721634
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 21 Nov 2013 20:42:07 GMT) (full text, mbox, link).
Message sent on
to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug#721634.
(Thu, 21 Nov 2013 20:42:11 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 28 Nov 2013 21:51:09 GMT) (full text, mbox, link).
Notification sent
to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug acknowledged by developer.
(Thu, 28 Nov 2013 21:51:09 GMT) (full text, mbox, link).
Message #46 received at 721634-close@bugs.debian.org (full text, mbox, reply):
Source: libhttp-body-perl
Source-Version: 1.11-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
libhttp-body-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 721634@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libhttp-body-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Nov 2013 10:47:51 +0100
Source: libhttp-body-perl
Binary: libhttp-body-perl
Architecture: source all
Version: 1.11-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libhttp-body-perl - module for manipulating HTTP POST data as an object
Closes: 721634
Changes:
libhttp-body-perl (1.11-1+deb7u1) wheezy-security; urgency=high
.
* Team upload.
* Add CVE-2013-4407.patch patch.
CVE-2013-4407: An attacker able to upload files to a service that uses
HTTP::Body::Multipart could execute commands on the server.
(Closes: #721634)
Checksums-Sha1:
9847f52098df44795af8e5c82758127bf6bedf15 2430 libhttp-body-perl_1.11-1+deb7u1.dsc
0b7b6b669f792bc418a3327c915d59c01aae32b9 3707615 libhttp-body-perl_1.11.orig.tar.gz
d1d60aee3e8e8dc22086f4f5d69afff0e44c73f7 4901 libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
64bd907a0b59e8cb1f8c90c5884f94204d0d8ba3 27138 libhttp-body-perl_1.11-1+deb7u1_all.deb
Checksums-Sha256:
2b9d2cd0b864d20f60fed96403296f4402880ffbdfab40d96bdb9334e421ae13 2430 libhttp-body-perl_1.11-1+deb7u1.dsc
6047fdacaa2fb0b0627f7a4cbed4a8181165322a2706e38cadccd592eb2a25c1 3707615 libhttp-body-perl_1.11.orig.tar.gz
b32456df8d1b293825311bc04c73aeb94df42ed23d1b88e54d2cff4b2fce766b 4901 libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
041e179ab51c4082483be0cf557587bf6bbaf9b5577d2c01696539e0de60bd8b 27138 libhttp-body-perl_1.11-1+deb7u1_all.deb
Files:
609a2602668584d84357606f5b3b1b77 2430 perl optional libhttp-body-perl_1.11-1+deb7u1.dsc
c425c9a179dfac73891dee8cad556825 3707615 perl optional libhttp-body-perl_1.11.orig.tar.gz
06b820d7f15ab86ae9ff89f9f582a336 4901 perl optional libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
21663f88f7fe829ea52f2f440b2646d5 27138 perl optional libhttp-body-perl_1.11-1+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSi4QPAAoJEAVMuPMTQ89Eh50P/jq/Sex5Kze/ex4NJdAGUV9y
9+1GvTWg+gYyDVGUrKascNHTxYInqA4pvPTlu3B2CfscxAH1H9k/FIkgbQfyOJtj
WuOVwkay/vr4id+q5M1EljALf7kSnDV8Q7c88tFGzTfrVlMxIZi9Fqs5PWZNTQJ9
fbKx9BdMwRpAbzNzVEeZSOWRgGJQk2OrlJGBvBWaKoq3WroioUuJ/WaagOLeLkv+
mekJe8k5AwdCx3HTavv/bXPmj/2ktO3ahBWDbAA/HCsoGGJ1T66OQDBgC8QqVbty
Ovks/XqKJKPsZWwPqUUS+gvfE9DSiQmeL5416MzBYxjzlJCjTJTRRRt89vDgq00Q
kuOWjga7BJkxkzL/C1BBJY7cCLheUrbPzQ0aD3Oe+3oG4uh4CC3v3DvplV13oEHm
02IIF1vDf0jrvpqkRonrPn1oBom6bzr73DZetPHDrEA8/8xvvMhLseuo0UTlUOcD
Obl6ahwiPIcnmjaCcqekQzwPASF6e+yLcy/xIxyDSCUzi4AZ0gwb7s58bvNl/Dod
QkoYP/4dUnbnoWtzvVMW1uwWJba7+siQ7InNhNCiZUd8PXZMxWtiqb1ktpOQfpJQ
qxr2zx3//7GBWGH5kYp+fN1IPTvKbYm2E++7XER/GcIbv+hqVe46mhb7tbHAB1Zj
k/SB54jCufTUSVLagnHd
=SGts
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Dec 2013 07:28:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:15:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
