844951 – (CVE-2013-4407) VUL-0: CVE-2013-4407: perl-HTTP-Body: code execution via command injection

Bug 844951 (CVE-2013-4407) - VUL-0: CVE-2013-4407: perl-HTTP-Body: code execution via command injection

Summary: VUL-0: CVE-2013-4407: perl-HTTP-Body: code execution via command injection

Status:	RESOLVED FIXED

Alias:	CVE-2013-4407

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-10-09 12:44 UTC by Marcus Meissner
Modified:	2015-02-19 01:33 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-10-09 12:44:49 UTC

via oss-security list

CVE-2013-4407

A remote command-injection flaw was reported in HTTP::Body::Multipart versions 1.08 and later[1]. An attacker able to upload files to a service that uses HTTP::Body::Multipart could execute commands on the server.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4407
https://bugzilla.redhat.com/show_bug.cgi?id=1005669
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
http://comments.gmane.org/gmane.comp.security.oss.general/11229

Comment 1 Swamp Workflow Management 2013-10-11 07:41:52 UTC

bugbot adjusting priority

Comment 2 Sebastian Krahmer 2013-10-30 12:07:51 UTC

There is already a fix:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=18;filename=CVE-2013-4407.patch;att=1;bug=721634

However the issue is not so severe, as it only *potentially*
allows further exploitation if the resulting filenames are passed
to system() etc.

Comment 3 Christian Wittmer 2014-03-14 20:20:37 UTC

ongoing work for fixing pkg

Comment 4 Christian Wittmer 2014-03-14 20:32:02 UTC

Maintenance Request created:

https://build.opensuse.org/request/show/226018

Comment 5 Bernhard Wiedemann 2014-03-14 21:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (844951) was mentioned in
https://build.opensuse.org/request/show/226019 13.1+12.3 / perl-HTTP-Body

Comment 6 Marcus Meissner 2014-03-24 08:34:18 UTC

re;leased

Comment 7 Swamp Workflow Management 2014-03-25 09:04:22 UTC

openSUSE-SU-2014:0433-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 844951
CVE References: CVE-2013-4407
Sources used:
openSUSE 13.1 (src):    perl-HTTP-Body-1.19-2.4.1
openSUSE 12.3 (src):    perl-HTTP-Body-1.19-4.4.1