gentoo resync : 14.07.2018

1 files changed, 31 insertions, 0 deletions

diff --git a/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch b/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch
new file mode 100644
index 000000000000..292cac3aa6f4
--- /dev/null
+++ b/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch
@@ -0,0 +1,31 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-10-21
+
+Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.19
+
+diff -ruN HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm
+--- HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm	2013-12-06 16:07:25.000000000 +0100
++++ HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm	2014-11-30 23:17:19.652051615 +0100
+@@ -258,8 +258,8 @@
+ 
+ =cut
+ 
+-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
+-#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
++#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
++our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
+ 
+ sub handler {
+     my ( $self, $part ) = @_;