SB2013120310 - Input validation error in perl-http-body (Alpine package)
Published: December 3, 2013
Security Bulletin ID
SB2013120310
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2013-4407)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module for Perl uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=7454a74b607d2ea338d1742b0ae51257b74fafe9
- https://git.alpinelinux.org/aports/commit/?id=6041642bea0d97919a65d2e7e2d8211a0cf744f5
- https://git.alpinelinux.org/aports/commit/?id=e189fcc8c61dfd0aab7d42d528003e88bb0c3c7f
- https://git.alpinelinux.org/aports/commit/?id=be38e44a7d8e243722c40679605fbb40a489d675
- https://git.alpinelinux.org/aports/commit/?id=fc63abb7cf648e265ac8976e6ff92197a6599348
- https://git.alpinelinux.org/aports/commit/?id=213ebd008f5f44ea962bebeb139ec959c8c5ce4d