Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329943 (CVE-2010-2253) - <dev-perl/libwww-perl-5.836: arbitrary code execution (CVE-2010-2253)
Summary: <dev-perl/libwww-perl-5.836: arbitrary code execution (CVE-2010-2253)
Status: RESOLVED FIXED
Alias: CVE-2010-2253
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-26 15:47 UTC by Stefan Behte (RETIRED)
Modified: 2014-02-04 16:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:47:24 UTC 
CVE-2010-2253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2253):
  lwp-download in libwww-perl before 5.835 does not reject downloads to
  filenames that begin with a . (dot) character, which allows remote
  servers to create or overwrite files via (1) a 3xx redirect to a URL
  with a crafted filename or (2) a Content-Disposition header that
  suggests a crafted filename, and possibly execute arbitrary code as a
  consequence of writing to a dotfile in a home directory.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2010-07-26 16:15:24 UTC 
Please stabilize
=dev-perl/libwww-perl-5.836

5.836 is long enough in the tree and also:
| Fix problem where $resp->base would downcase its return value
Comment 2 Dane Smith (RETIRED) gentoo-dev 2010-07-26 18:40:39 UTC 
Tested on x86. Compiles and runs fine. Compiled and ran several rdeps. No issues. Should be good to stabilize.
Comment 3 Markus Meier gentoo-dev 2010-07-26 20:49:44 UTC 
amd64/arm/x86 stable, thanks Dane
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-29 16:28:27 UTC 
After this:

Index: libwww-perl-5.836.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/dev-perl/libwww-perl/libwww-perl-5.836.ebuild,v
retrieving revision 1.2
diff -u -B -r1.2 libwww-perl-5.836.ebuild
--- libwww-perl-5.836.ebuild    26 Jul 2010 20:49:23 -0000      1.2
+++ libwww-perl-5.836.ebuild    29 Jul 2010 16:21:28 -0000
@@ -41,4 +41,4 @@
                dosym /usr/bin/lwp-request /usr/bin/HEAD
        fi
 }
-#SRC_TEST=do
+SRC_TEST=do

all tests ran fine.

Stable for HPPA PPC.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-07-31 16:18:02 UTC 
alpha/ia64/m68k/s390/sh/sparc stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-08-10 16:09:34 UTC 
ppc64 done
Comment 7 Torsten Veller (RETIRED) gentoo-dev 2010-08-15 13:12:36 UTC 
All arches done.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 03:19:49 UTC 
GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 16:33:08 UTC 
This issue was resolved and addressed in
 GLSA 201402-04 at http://security.gentoo.org/glsa/glsa-201402-04.xml
by GLSA coordinator Mikle Kolyada (Zlogene).