Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329943 (CVE-2010-2253) - <dev-perl/libwww-perl-5.836: arbitrary code execution (CVE-2010-2253)
Summary: <dev-perl/libwww-perl-5.836: arbitrary code execution (CVE-2010-2253)
Alias: CVE-2010-2253
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2010-07-26 15:47 UTC by Stefan Behte (RETIRED)
Modified: 2014-02-04 16:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:47:24 UTC
CVE-2010-2253 (
  lwp-download in libwww-perl before 5.835 does not reject downloads to
  filenames that begin with a . (dot) character, which allows remote
  servers to create or overwrite files via (1) a 3xx redirect to a URL
  with a crafted filename or (2) a Content-Disposition header that
  suggests a crafted filename, and possibly execute arbitrary code as a
  consequence of writing to a dotfile in a home directory.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2010-07-26 16:15:24 UTC
Please stabilize

5.836 is long enough in the tree and also:
| Fix problem where $resp->base would downcase its return value
Comment 2 Dane Smith (RETIRED) gentoo-dev 2010-07-26 18:40:39 UTC
Tested on x86. Compiles and runs fine. Compiled and ran several rdeps. No issues. Should be good to stabilize.
Comment 3 Markus Meier gentoo-dev 2010-07-26 20:49:44 UTC
amd64/arm/x86 stable, thanks Dane
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-29 16:28:27 UTC
After this:

Index: libwww-perl-5.836.ebuild
RCS file: /var/cvsroot/gentoo-x86/dev-perl/libwww-perl/libwww-perl-5.836.ebuild,v
retrieving revision 1.2
diff -u -B -r1.2 libwww-perl-5.836.ebuild
--- libwww-perl-5.836.ebuild    26 Jul 2010 20:49:23 -0000      1.2
+++ libwww-perl-5.836.ebuild    29 Jul 2010 16:21:28 -0000
@@ -41,4 +41,4 @@
                dosym /usr/bin/lwp-request /usr/bin/HEAD

all tests ran fine.

Stable for HPPA PPC.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-07-31 16:18:02 UTC
alpha/ia64/m68k/s390/sh/sparc stable 
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-08-10 16:09:34 UTC
ppc64 done
Comment 7 Torsten Veller (RETIRED) gentoo-dev 2010-08-15 13:12:36 UTC
All arches done.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 03:19:49 UTC
GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 16:33:08 UTC
This issue was resolved and addressed in
 GLSA 201402-04 at
by GLSA coordinator Mikle Kolyada (Zlogene).