Bug#594804: pu: package libwww-perl/5.813-1+lenny2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I just saw by chance that there is an open security issue in libwww-perl
that affects stable [1]. There is two-line upstream patch to address
this [2] which also applies to the version in Lenny.
I have prepared an update, see the attached debdiff.
Regards,
Ansgar
[1] <http://security-tracker.debian.org/tracker/CVE-2010-2253>
[2] <http://github.com/gisle/libwww-perl/commit/f97f339f552666ef79cdd2cf2a44032cf206bb6e>
diff -u libwww-perl-5.813/debian/changelog libwww-perl-5.813/debian/changelog
--- libwww-perl-5.813/debian/changelog
+++ libwww-perl-5.813/debian/changelog
@@ -1,8 +1,16 @@
+libwww-perl (5.813-1+lenny2) stable; urgency=low
+
+ * CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to
+ filenames suggested by the server that start with a . (dot) character.
+ commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e
+
+ -- Ansgar Burchardt <ansgar@43-1.org> Mon, 30 Aug 2010 01:29:12 +0900
+
libwww-perl (5.813-1+lenny1) stable; urgency=low
* Fix incorrect use of redo. (Closes: #591462)
- -- Ansgar Burchardt <ansgar@43-1.org> Wed, 04 Aug 2010 02:52:22 +0900
+ -- Ansgar Burchardt <ansgar@43-1.org> Sat, 07 Aug 2010 08:20:19 +0900
libwww-perl (5.813-1) unstable; urgency=low
only in patch2:
unchanged:
--- libwww-perl-5.813.orig/bin/lwp-download
+++ libwww-perl-5.813/bin/lwp-download
@@ -138,7 +138,9 @@
# validate that we don't have a harmful filename now. The server
# might try to trick us into doing something bad.
if (!length($file) ||
- $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge)
+ $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge ||
+ $file =~ /^\./
+ )
{
die "Will not save <$url> as \"$file\".\nPlease override file name on the command line.\n";
}
Reply to: