lwp-download in libwww-perl before 5.835 does not reject downloads to
filenames that begin with a . (dot) character, which allows remote
servers to create or overwrite files via (1) a 3xx redirect to a URL
with a crafted filename or (2) a Content-Disposition header that
suggests a crafted filename, and possibly execute arbitrary code as a
consequence of writing to a dotfile in a home directory.
5.836 is long enough in the tree and also:
| Fix problem where $resp->base would downcase its return value
Tested on x86. Compiles and runs fine. Compiled and ran several rdeps. No issues. Should be good to stabilize.
amd64/arm/x86 stable, thanks Dane
RCS file: /var/cvsroot/gentoo-x86/dev-perl/libwww-perl/libwww-perl-5.836.ebuild,v
retrieving revision 1.2
diff -u -B -r1.2 libwww-perl-5.836.ebuild
--- libwww-perl-5.836.ebuild 26 Jul 2010 20:49:23 -0000 1.2
+++ libwww-perl-5.836.ebuild 29 Jul 2010 16:21:28 -0000
@@ -41,4 +41,4 @@
dosym /usr/bin/lwp-request /usr/bin/HEAD
all tests ran fine.
Stable for HPPA PPC.
All arches done.
GLSA request filed.
This issue was resolved and addressed in
GLSA 201402-04 at http://security.gentoo.org/glsa/glsa-201402-04.xml
by GLSA coordinator Mikle Kolyada (Zlogene).