CVE-2010-2253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2253): lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Please stabilize =dev-perl/libwww-perl-5.836 5.836 is long enough in the tree and also: | Fix problem where $resp->base would downcase its return value
Tested on x86. Compiles and runs fine. Compiled and ran several rdeps. No issues. Should be good to stabilize.
amd64/arm/x86 stable, thanks Dane
After this: Index: libwww-perl-5.836.ebuild =================================================================== RCS file: /var/cvsroot/gentoo-x86/dev-perl/libwww-perl/libwww-perl-5.836.ebuild,v retrieving revision 1.2 diff -u -B -r1.2 libwww-perl-5.836.ebuild --- libwww-perl-5.836.ebuild 26 Jul 2010 20:49:23 -0000 1.2 +++ libwww-perl-5.836.ebuild 29 Jul 2010 16:21:28 -0000 @@ -41,4 +41,4 @@ dosym /usr/bin/lwp-request /usr/bin/HEAD fi } -#SRC_TEST=do +SRC_TEST=do all tests ran fine. Stable for HPPA PPC.
alpha/ia64/m68k/s390/sh/sparc stable
ppc64 done
All arches done.
GLSA request filed.
This issue was resolved and addressed in GLSA 201402-04 at http://security.gentoo.org/glsa/glsa-201402-04.xml by GLSA coordinator Mikle Kolyada (Zlogene).