Debian Bug report logs - #721634
libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical security bug

version graph

Package: libhttp-body-perl; Maintainer for libhttp-body-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libhttp-body-perl is src:libhttp-body-perl.

Reported by: Jonathan Dolle <jonathan.dolle@groupsquad.com>

Date: Mon, 2 Sep 2013 15:51:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in version libhttp-body-perl/1.11-1

Fixed in versions libhttp-body-perl/1.17-2, libhttp-body-perl/1.11-1+deb7u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://rt.cpan.org/Public/Bug/Display.html?id=88342

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jonathan.dolle@groupsquad.com, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl. (Mon, 02 Sep 2013 15:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
New Bug report received and forwarded. Copy sent to jonathan.dolle@groupsquad.com, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 02 Sep 2013 15:51:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jonathan Dolle <jonathan.dolle@groupsquad.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libhttp-body-perl: HTTP::Body::Multipart critical security bug
Date: Mon, 02 Sep 2013 17:47:57 +0200
Package: libhttp-body-perl
Version: 1.11-1
Severity: normal

Dear Maintainer,

Hello,

We discovered a critical bug in HTTP::Body::Multipart >= 1.08.

It concerns this point (see changelog) : 
	"Temp files now preserve the suffix of the uploaded file"

The following line in HTTP::Body::Multipart is not good:
my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};


It is too much permissive.
For example, with the following file name :
"2013-06-19 at 11.37.56 PM.png"

We can obtain this temp file :
"/tmp/k6gvivOIYK.37.56 PM.png"

It take everithing after the first dot, even spaces !

Previously, the tempname was always alphanumeric. No special chars. So we could use it directly in commands like:
my $info = `identify -format "%m" $filename 2>&1`;

With a space, the command become invalid. Worse : we can easily do 'injections'.
For example with a filename like:
"file. || rm -rf ~ || .png"

I recommand the following regexp:
my $suffix = $basename =~ /[^.]+(\.[\w]+)$/ ? $1 : q{};

Or, for extension like '.tar.gz':
my $suffix = $basename =~ /[^.]+(\.[\w\.]+)$/ ? $1 : q{};
Or better:
my $suffix = $basename =~ /[^.]+((?:\.[\w+])+)$/ ? $1 : q{};


Best regards,
Jonathan Dolle


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libhttp-body-perl depends on:
ii  libpath-class-perl  0.25-1
ii  libwww-perl         6.04-1
ii  libyaml-perl        0.81-1
ii  perl                5.14.2-9

libhttp-body-perl recommends no packages.

libhttp-body-perl suggests no packages.

-- no debconf information



Set Bug forwarded-to-address to 'https://rt.cpan.org/Public/Bug/Display.html?id=88342'. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 07 Sep 2013 16:21:04 GMT) Full text and rfc822 format available.

Severity set to 'grave' from 'normal' Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 07 Sep 2013 16:21:05 GMT) Full text and rfc822 format available.

Added tag(s) upstream and security. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 07 Sep 2013 16:21:06 GMT) Full text and rfc822 format available.

Changed Bug title to 'libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical security bug' from 'libhttp-body-perl: HTTP::Body::Multipart critical security bug' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 08 Oct 2013 11:24:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl. (Mon, 21 Oct 2013 18:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 21 Oct 2013 18:18:04 GMT) Full text and rfc822 format available.

Message #18 received at 721634@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Jonathan Dolle <jonathan.dolle@groupsquad.com>, 721634@bugs.debian.org
Subject: Re: Bug#721634: libhttp-body-perl: HTTP::Body::Multipart critical security bug
Date: Mon, 21 Oct 2013 20:15:32 +0200
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch

Hi

I'm proposing the attached patch, but I want to hear back first from
upstream to not diverge to much from there.

Regards,
Salvatore
[CVE-2013-4407.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to 721634-submit@bugs.debian.org. (Mon, 21 Oct 2013 18:18:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl. (Sat, 09 Nov 2013 06:39:04 GMT) Full text and rfc822 format available.

Message #23 received at 721634@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 721634@bugs.debian.org, 721634-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libhttp-body-perl package
Date: Sat, 09 Nov 2013 06:34:21 +0000
tag 721634 + pending
thanks

Some bugs in the libhttp-body-perl package are closed in revision
f4fb68d039e89c62065bc70b1c5ed8e35f297196 in branch 'master' by
Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libhttp-body-perl.git;a=commitdiff;h=f4fb68d

Commit message:

    Add CVE-2013-4407.patch patch
    
    CVE-2013-4407: An attacker able to upload files to a service that uses
    HTTP::Body::Multipart could execute commands on the server.
    
    Closes: #721634




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Sat, 09 Nov 2013 06:39:10 GMT) Full text and rfc822 format available.

Message sent on to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug#721634. (Sat, 09 Nov 2013 06:39:19 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 09 Nov 2013 06:51:08 GMT) Full text and rfc822 format available.

Notification sent to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug acknowledged by developer. (Sat, 09 Nov 2013 06:51:08 GMT) Full text and rfc822 format available.

Message #33 received at 721634-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 721634-close@bugs.debian.org
Subject: Bug#721634: fixed in libhttp-body-perl 1.17-2
Date: Sat, 09 Nov 2013 06:48:36 +0000
Source: libhttp-body-perl
Source-Version: 1.17-2

We believe that the bug you reported is fixed in the latest version of
libhttp-body-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 721634@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libhttp-body-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Jan 2013 16:05:41 +0100
Source: libhttp-body-perl
Binary: libhttp-body-perl
Architecture: source all
Version: 1.17-2
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libhttp-body-perl - module for processing data from HTTP POST requests
Closes: 721634
Changes: 
 libhttp-body-perl (1.17-2) unstable; urgency=high
 .
   * Team upload.
   * Change search.cpan.org based URIs to metacpan.org based URIs
   * Add CVE-2013-4407.patch patch.
     CVE-2013-4407: An attacker able to upload files to a service that uses
     HTTP::Body::Multipart could execute commands on the server.
     (Closes: #721634)
   * Bump Standards-Version to 3.9.5
   * Wrap and sort fields in debian/control file
Checksums-Sha1: 
 48f02be54dff44fab8637aa750b6dca50f78a014 2374 libhttp-body-perl_1.17-2.dsc
 ad2ffc2634bd780fce66093a82e7b50f183fb554 4098 libhttp-body-perl_1.17-2.debian.tar.gz
 1c724a0715814356ff83a316dfee5425a24f52f4 24918 libhttp-body-perl_1.17-2_all.deb
Checksums-Sha256: 
 7617688e7000f82dbb8caf3f344219caf53495db42270fe32adb742a3f8a4d5f 2374 libhttp-body-perl_1.17-2.dsc
 99d7c6de9c915b99ab90ad0261e2b8dc4f801db66aa7c025eb66aaae1947c7ce 4098 libhttp-body-perl_1.17-2.debian.tar.gz
 8ad44b4e4b54b892fe6c97f9b1da60be8d778d272e98d5194473bf3e73006293 24918 libhttp-body-perl_1.17-2_all.deb
Files: 
 0dee76304250124c71068c1db7f29dae 2374 perl optional libhttp-body-perl_1.17-2.dsc
 66125dfbca6ff793802b013870974b35 4098 perl optional libhttp-body-perl_1.17-2.debian.tar.gz
 fea7f45f2f6374383ef48f679c823408 24918 perl optional libhttp-body-perl_1.17-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSfdcNAAoJEAVMuPMTQ89EFC0P/RevJMMJqrZ+pAyz7bRHhMtw
MTN8pXr4gmlo3fxyVIeALUHN9n7vKl/ZlVaXltP8USIl1vrd9PCFYeRNezbqayHz
KAgk6oddp3ECa5rx1v2n8iDwgfS9AebSm9Ng/XuNFcoAhT5wJ2vAsRp6Djy78oJp
U7uwUy2i0ri1wBDoOqUVa/afcfMuGnEf1woFDzaVVHitmzU0jTK4/KNpr2ggBKLx
s50cvPN61KAn+d74p+6KzXGEgAaO8EpQGJpfWIqoX/aF3cTBF0TEhdaXk/ZDJLDj
hQO/gwQXlF0jvRxvFsdCJTiEheKK5H/4/9yfcmpdFKOCpvTQcoJiM2D1qvmQKNBt
JomQzycChFZ3bVYlvPiDforLl+62KOMBRd+nEinwRu401u6D51VSNOwIZhq6Mc76
aCDAVtLbo3pFzgzOmQ4hQ8FqMd2NwSocRgfBIWHXOP+j9eELKxd7uvL30hf3SlaV
aGeltb3XjLg4TlR/6ussZqUo62AFM3hYpbLqugxFjQQN4qYXKbdimP4qqP9rqD8z
t1U7rjw9WSYOjCnBnDdktYWKFQURFXtl/jvRpuyLEFQRPT0t1XyQVK+cFkN6tW/W
IW0VQCTpoboLuZvr7vnySxoVRpgYXuDl6geSLMu0l2mUGPgWRsocle/qAj1d69oW
1eYaKt2lJglG4GnftjLw
=iJD1
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#721634; Package libhttp-body-perl. (Thu, 21 Nov 2013 20:42:04 GMT) Full text and rfc822 format available.

Message #36 received at 721634@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 721634@bugs.debian.org, 721634-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libhttp-body-perl package
Date: Thu, 21 Nov 2013 20:38:52 +0000
tag 721634 + pending
thanks

Some bugs in the libhttp-body-perl package are closed in revision
75688c8dcd9cbed094821096e69dcd4f56918024 in branch '  wheezy' by
Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libhttp-body-perl.git;a=commitdiff;h=75688c8

Commit message:

    Add CVE-2013-4407.patch patch
    
    CVE-2013-4407: An attacker able to upload files to a service that uses
    HTTP::Body::Multipart could execute commands on the server.
    
    Closes: #721634




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 21 Nov 2013 20:42:07 GMT) Full text and rfc822 format available.

Message sent on to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug#721634. (Thu, 21 Nov 2013 20:42:11 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 28 Nov 2013 21:51:09 GMT) Full text and rfc822 format available.

Notification sent to Jonathan Dolle <jonathan.dolle@groupsquad.com>:
Bug acknowledged by developer. (Thu, 28 Nov 2013 21:51:09 GMT) Full text and rfc822 format available.

Message #46 received at 721634-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 721634-close@bugs.debian.org
Subject: Bug#721634: fixed in libhttp-body-perl 1.11-1+deb7u1
Date: Thu, 28 Nov 2013 21:49:19 +0000
Source: libhttp-body-perl
Source-Version: 1.11-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
libhttp-body-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 721634@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libhttp-body-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Nov 2013 10:47:51 +0100
Source: libhttp-body-perl
Binary: libhttp-body-perl
Architecture: source all
Version: 1.11-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libhttp-body-perl - module for manipulating HTTP POST data as an object
Closes: 721634
Changes: 
 libhttp-body-perl (1.11-1+deb7u1) wheezy-security; urgency=high
 .
   * Team upload.
   * Add CVE-2013-4407.patch patch.
     CVE-2013-4407: An attacker able to upload files to a service that uses
     HTTP::Body::Multipart could execute commands on the server.
     (Closes: #721634)
Checksums-Sha1: 
 9847f52098df44795af8e5c82758127bf6bedf15 2430 libhttp-body-perl_1.11-1+deb7u1.dsc
 0b7b6b669f792bc418a3327c915d59c01aae32b9 3707615 libhttp-body-perl_1.11.orig.tar.gz
 d1d60aee3e8e8dc22086f4f5d69afff0e44c73f7 4901 libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
 64bd907a0b59e8cb1f8c90c5884f94204d0d8ba3 27138 libhttp-body-perl_1.11-1+deb7u1_all.deb
Checksums-Sha256: 
 2b9d2cd0b864d20f60fed96403296f4402880ffbdfab40d96bdb9334e421ae13 2430 libhttp-body-perl_1.11-1+deb7u1.dsc
 6047fdacaa2fb0b0627f7a4cbed4a8181165322a2706e38cadccd592eb2a25c1 3707615 libhttp-body-perl_1.11.orig.tar.gz
 b32456df8d1b293825311bc04c73aeb94df42ed23d1b88e54d2cff4b2fce766b 4901 libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
 041e179ab51c4082483be0cf557587bf6bbaf9b5577d2c01696539e0de60bd8b 27138 libhttp-body-perl_1.11-1+deb7u1_all.deb
Files: 
 609a2602668584d84357606f5b3b1b77 2430 perl optional libhttp-body-perl_1.11-1+deb7u1.dsc
 c425c9a179dfac73891dee8cad556825 3707615 perl optional libhttp-body-perl_1.11.orig.tar.gz
 06b820d7f15ab86ae9ff89f9f582a336 4901 perl optional libhttp-body-perl_1.11-1+deb7u1.debian.tar.gz
 21663f88f7fe829ea52f2f440b2646d5 27138 perl optional libhttp-body-perl_1.11-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSi4QPAAoJEAVMuPMTQ89Eh50P/jq/Sex5Kze/ex4NJdAGUV9y
9+1GvTWg+gYyDVGUrKascNHTxYInqA4pvPTlu3B2CfscxAH1H9k/FIkgbQfyOJtj
WuOVwkay/vr4id+q5M1EljALf7kSnDV8Q7c88tFGzTfrVlMxIZi9Fqs5PWZNTQJ9
fbKx9BdMwRpAbzNzVEeZSOWRgGJQk2OrlJGBvBWaKoq3WroioUuJ/WaagOLeLkv+
mekJe8k5AwdCx3HTavv/bXPmj/2ktO3ahBWDbAA/HCsoGGJ1T66OQDBgC8QqVbty
Ovks/XqKJKPsZWwPqUUS+gvfE9DSiQmeL5416MzBYxjzlJCjTJTRRRt89vDgq00Q
kuOWjga7BJkxkzL/C1BBJY7cCLheUrbPzQ0aD3Oe+3oG4uh3CC3v3DvplV13oEHm
02IIF1vDf0jrvpqkRonrPn1oBom6bzr73DZetPHDrEA8/8xvvMhLseuo0UTlUOcD
Obl6ahwiPIcnmjaCcqekQzwPASF6e+yLcy/xIxyDSCUzi4AZ0gwb7s58bvNl/Dod
QkoYP/4dUnbnoWtzvVMW1uwWJba7+siQ7InNhNCiZUd8PXZMxWtiqb1ktpOQfpJQ
qxr2zx3//7GBWGH5kYp+fN1IPTvKbYm2E++7XER/GcIbv+hqVe46mhb7tbHAB1Zj
k/SB54jCufTUSVLagnHd
=SGts
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 27 Dec 2013 07:28:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:10:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.