main/perl-http-body: upgrade to 1.17 and fix CVE-2013-4407

ref #2456
2026-05-04 20:06:43 +02:00 · 2013-12-03 14:28:50 +00:00 · 2013-12-03 14:28:50 +00:00 · 213ebd008f
commit 213ebd008f
parent adc79e42ef
2 changed files with 36 additions and 3 deletions
--- a/main/perl-http-body/APKBUILD
+++ b/main/perl-http-body/APKBUILD
@ -1,7 +1,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=perl-http-body
-pkgver=1.15
+pkgver=1.17
 pkgrel=0
 pkgdesc="HTTP::Body perl module"
 url="http://search.cpan.org/dist/HTTP-Body/"
@ -11,7 +11,9 @@ depends="perl perl-http-message perl-uri"
 makedepends="perl-dev perl-test-deep"
 install=""
 subpackages="$pkgname-doc"
-source="http://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-$pkgver.tar.gz"
+source="http://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-$pkgver.tar.gz
+	CVE-2013-4407.patch
+	"

 _builddir="$srcdir"/HTTP-Body-$pkgver
 prepare() {
@ -36,4 +38,9 @@ package() {
 	find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
 }

-md5sums="cccf0211c15a9fed67c68c826c5efeaf  HTTP-Body-1.15.tar.gz"
+md5sums="3c14ccc3af652aa5297b9fc87d263b3b  HTTP-Body-1.17.tar.gz
+8e5a8675955e2bb7a23579be4df6558d  CVE-2013-4407.patch"
+sha256sums="131cdae4a4c8ee1b2b17c90db30c534d3f87f3a89c3133e3a0aab1f058fbe690  HTTP-Body-1.17.tar.gz
+5bacbbeda2c4297188f2fdfb03ee7d00785452bb72fac8ac0e8bd5e3575c7061  CVE-2013-4407.patch"
+sha512sums="978ed98929bd7a829f97a1f9adb847f2fc7cf84428c7356d19a5747dfd7679702754869cbf819882e4580aa72af037d0a40b2e5f91e18baf5497068d2f857eae  HTTP-Body-1.17.tar.gz
+f6a53949bdb592e9cf10771f3b38b538ac8aeacaddbb7f4f71528147ae2c16ff27a1b191210ec3df3592ad5377beaef4db988ae5eb7a003f4aea558c02995d69  CVE-2013-4407.patch"
--- a/main/perl-http-body/CVE-2013-4407.patch
+++ b/main/perl-http-body/CVE-2013-4407.patch
@ -0,0 +1,26 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-10-21
+
+--- a/lib/HTTP/Body/MultiPart.pm
+++ b/lib/HTTP/Body/MultiPart.pm
+@@ -275,7 +275,7 @@
+ 
+             if ( $filename ne "" ) {
+                 my $basename = (File::Spec->splitpath($filename))[2];
+-                my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
+                my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{};
+ 
+                 my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix );
+