r62195 - in /branches/lenny/libwww-perl: bin/lwp-download debian/changelog

ansgar-guest at users.alioth.debian.org ansgar-guest at users.alioth.debian.org
Sun Aug 29 16:41:07 UTC 2010


Author: ansgar-guest
Date: Sun Aug 29 16:40:53 2010
New Revision: 62195

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=62195
Log:
CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to
filenames suggested by the server that start with a . (dot) character.
commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e

Modified:
    branches/lenny/libwww-perl/bin/lwp-download
    branches/lenny/libwww-perl/debian/changelog

Modified: branches/lenny/libwww-perl/bin/lwp-download
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libwww-perl/bin/lwp-download?rev=62195&op=diff
==============================================================================
--- branches/lenny/libwww-perl/bin/lwp-download (original)
+++ branches/lenny/libwww-perl/bin/lwp-download Sun Aug 29 16:40:53 2010
@@ -138,7 +138,9 @@
 	      # validate that we don't have a harmful filename now.  The server
 	      # might try to trick us into doing something bad.
 	      if (!length($file) ||
-                  $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge)
+                  $file =~ s/([^a-zA-Z0-9_\.\-\+\~])/sprintf "\\x%02x", ord($1)/ge ||
+		  $file =~ /^\./
+	      )
               {
 		  die "Will not save <$url> as \"$file\".\nPlease override file name on the command line.\n";
 	      }

Modified: branches/lenny/libwww-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libwww-perl/debian/changelog?rev=62195&op=diff
==============================================================================
--- branches/lenny/libwww-perl/debian/changelog (original)
+++ branches/lenny/libwww-perl/debian/changelog Sun Aug 29 16:40:53 2010
@@ -1,3 +1,11 @@
+libwww-perl (5.813-1+lenny2) stable; urgency=low
+
+  * CVE-2010-2253: Apply upstream patch to lwp-download to reject downloads to
+    filenames suggested by the server that start with a . (dot) character.
+    commit id of upstream patch: f97f339f552666ef79cdd2cf2a44032cf206bb6e
+
+ -- Ansgar Burchardt <ansgar at 43-1.org>  Mon, 30 Aug 2010 01:29:12 +0900
+
 libwww-perl (5.813-1+lenny1) stable; urgency=low
 
   * Fix incorrect use of redo. (Closes: #591462)




More information about the Pkg-perl-cvs-commits mailing list