gentoo auto-resync : 03:05:2024 - 00:00:22

3 files changed, 79 insertions, 0 deletions

diff --git a/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild b/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild
new file mode 100644
index 000000000000..4e35d76d651b
--- /dev/null
+++ b/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild
@@ -0,0 +1,43 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DIST_AUTHOR=GETTY
+DIST_VERSION=1.23
+inherit perl-module
+
+DESCRIPTION="HTTP Body Parser"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+
+# HTTP::Headers -> HTTP-Message
+# HTTP::Request::Common -> HTTP-Message
+# IO::File -> IO
+RDEPEND="
+	virtual/perl-Carp
+	virtual/perl-Digest-MD5
+	>=virtual/perl-File-Temp-0.140.0
+	dev-perl/HTTP-Message
+	>=virtual/perl-IO-1.140.0
+"
+BDEPEND="${RDEPEND}
+	virtual/perl-ExtUtils-MakeMaker
+	test? (
+		virtual/perl-Encode
+		virtual/perl-File-Spec
+		>=virtual/perl-File-Temp-0.140.0
+		dev-perl/HTTP-Message
+		dev-perl/Test-Deep
+		>=virtual/perl-Test-Simple-0.860.0
+	)
+"
+
+PERL_RM_FILES=(
+	t/02pod.t
+	t/03podcoverage.t
+	t/04critic.t
+)
+
+PATCHES=( "${FILESDIR}/${PN}-1.230.0-CVE-2013-4407.patch" )
diff --git a/dev-perl/HTTP-Body/Manifest b/dev-perl/HTTP-Body/Manifest
index 7eab3a3e9051..f39fc738736e 100644
--- a/dev-perl/HTTP-Body/Manifest
+++ b/dev-perl/HTTP-Body/Manifest
@@ -1,4 +1,7 @@
 AUX HTTP-Body-1.190.0-CVE-2013-4407.patch 1288 BLAKE2B 776bf905aae20f57c89b443bd19860d2165d9df9061470dd2e789a4554a9950488127a42dc096a4e22d6866b2219ac7dc6b847c0ec551c947c09c6a1b8651b3f SHA512 9e2988eb26b54588d314c9ea7511dfcb1c4d91cac60fda7db5f3c41ebf72d6b16cb1e3983817d63ea28b413f82489c3e69f332daab0ff049349ec97b4498bfae
+AUX HTTP-Body-1.230.0-CVE-2013-4407.patch 1396 BLAKE2B fc7aac2586fe65e89c6f33b6bae84cdd111219e6114797f120a95099bfd19c7df5d5dba04aaf4851d174205aa9faf0ae1311f47e50da36a896a83675f76ab038 SHA512 427328319e14f132ca5cecd8359269a045e67a05412019096da2a374e6e96a0fdf1319ce478646ea1184e4e03786ee229774afbe2a2d361603065a5d8677d549
 DIST HTTP-Body-1.22.tar.gz 26163 BLAKE2B c6b2cf67fd9964fe253251dd91a67b11563c3cb157ad670733254acb3d44fcede97dcfb84d09ed52bc9f8cc60275838abd8f110aa01aed3bb18400bcc108b255 SHA512 62665989d76699a3c3747d8f4e23d2009488bc229220bcf6fc07fc425e6ac5118f6ea48c75af681c2f29e9ed644d7a7979368cc36df77aca0544786b523c9cfe
+DIST HTTP-Body-1.23.tar.gz 26980 BLAKE2B 2ad08b894a26a06089dff6294f978583d49ee5aa770fb195d01fc6db7a39bda0cb831ed5137afabbc75598e2dbe3fb8dd0681f688776270d01f99498abb17c23 SHA512 b02fb8652ceebdaa858ff12fe759ded62eefa7f23e5bf8b90e31a52d4433f13d29986f9646141b92a6a4ea58e1be007c6f675c3e2b26559fa0ff9333e69f3ebb
 EBUILD HTTP-Body-1.220.0-r1.ebuild 888 BLAKE2B 7f5afd7a530621d035629e401febab336f2634837b9df6075243311ee54d719efb8d681b876c9542e2da70ea866ef24091b0c6e5f66a243686b3e7050f891dcb SHA512 83491a717dfcb4ddd466cc1ca2df48e22c586d47eeb66b25b30b05db0f46987113a3412301383066a94d81cc557cb98a996050bf3f6764a86808984ae7f1aa1e
+EBUILD HTTP-Body-1.230.0.ebuild 851 BLAKE2B ae9de7593ad552d393afe06b742b1290fa7e014d1f56b880b987645965d340cdbb4c9d4a1bfe4a3b1ea7e8038f5df62d1006417e30348a44285378cda5fc9a67 SHA512 260b3f9ad86d2c0631e7453e41112b12c88d6f860cffa1bd79dc1a083f44cbfe7f99dd3eab860aae00fa7e4a6867cbf1943706e100380209c5aebfce20453978
 MISC metadata.xml 737 BLAKE2B ebbe4c571edaeef494e7df4625fd8388f5808a895c545c55ca7eb4e501fe485d493e1c474e0cc03c458f53c16e3cc96e7bd42454bcb6990505f8aa3bafcf6888 SHA512 814d21c03ff8829f92d3da6df27bea873db8759f0dc56b93b9743909c6465df17f9c74d9b0618d947883e7895e9103157811354c3287beb490cd03fe4ade3855
diff --git a/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch b/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch
new file mode 100644
index 000000000000..e4046ec3fec3
--- /dev/null
+++ b/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch
@@ -0,0 +1,33 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-10-21
+
+Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.19
+Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.23
+ This version has a fix for the CVE, but the stricter regexp has served
+ us well so far...
+
+diff -ruN HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm
+--- HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm	2024-03-30 14:27:57.000000000 +1100
++++ HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm	2024-05-02 13:07:21.794271606 +1100
+@@ -255,7 +255,7 @@
+ 
+ =cut
+ 
+-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
++our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
+ our $file_temp_suffix = '.upload';
+ our $file_temp_template;
+ our %file_temp_parameters;
+