Hello community, here is the log from the commit of package perl-HTTP-Body for openSUSE:Factory checked in at 2014-03-15 07:47:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-HTTP-Body (Old) and /work/SRC/openSUSE:Factory/.perl-HTTP-Body.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-HTTP-Body" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-HTTP-Body/perl-HTTP-Body.changes 2013-12-11 11:31:52.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.perl-HTTP-Body.new/perl-HTTP-Body.changes 2014-03-15 07:47:34.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Mar 14 20:13:28 UTC 2014 - ch...@computersalat.de + +- fix for bnc#844951 (CVE-2013-4407) +- added patches: + * CVE-2013-4407.patch + +------------------------------------------------------------------- New: ---- CVE-2013-4407.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-HTTP-Body.spec ++++++ --- /var/tmp/diff_new_pack.GzFX1I/_old 2014-03-15 07:47:34.000000000 +0100 +++ /var/tmp/diff_new_pack.GzFX1I/_new 2014-03-15 07:47:34.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package perl-HTTP-Body # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,9 @@ Group: Development/Libraries/Perl Url: http://search.cpan.org/dist/HTTP-Body/ Source: http://www.cpan.org/authors/id/G/GE/GETTY/%{cpan_name}-%{version}.tar.gz +## originally taken from debian: Allow only word characters in filename suffixes +# correct fix was already mention in code, but not used. :( +Patch0: CVE-2013-4407.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl @@ -57,6 +60,7 @@ %prep %setup -q -n %{cpan_name}-%{version} +%patch0 %build %{__perl} Makefile.PL INSTALLDIRS=vendor ++++++ CVE-2013-4407.patch ++++++ Description: Allow only word characters in filename suffixes CVE-2013-4407: Allow only word characters in filename suffixes. An attacker able to upload files to a service that uses HTTP::Body::Multipart could use this issue to upload a file and create a specifically-crafted temporary filename on the server, that when processed without further validation, could allow execution of commands on the server. Solution was already mention in code, but not used. Index: lib/HTTP/Body/MultiPart.pm =================================================================== --- lib/HTTP/Body/MultiPart.pm.orig +++ lib/HTTP/Body/MultiPart.pm @@ -258,8 +258,8 @@ sub parse_body { =cut -our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; -#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; +#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; +our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; sub handler { my ( $self, $part ) = @_; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org