Bug 602800 - (CVE-2010-2253) CVE-2010-2253 perl-libwww-perl: multiple HTTP client download filename vulnerability [OCERT 2010-001]
CVE-2010-2253 perl-libwww-perl: multiple HTTP client download filename vulner...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://www.ocert.org/advisories/ocert...
impact=low,public=20100517,reported=2...
: Security
Depends On: 637788
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-10 15:22 EDT by Vincent Danen
Modified: 2015-08-19 18:56 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: CVE-2010-2251
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
lwp-download patch (3.00 KB, patch)
2010-09-22 04:08 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
correct patch for RHEL-5 (6.33 KB, patch)
2010-09-29 14:28 EDT, Marcela Mašláňová
no flags Details | Diff

  None (edit)
Description Vincent Danen 2010-06-10 15:22:39 EDT
+++ This bug was initially created as a clone of Bug #591580 +++

The draft advisory from oCERT follows:

The lftp, wget and lwp-download applications are ftp/http clients and file
transfer tools supporting various network protocols. The lwp-download
script is shipped along with the libwww-perl library.

Unsafe behaviours have been found in lftp and lwp-download handling the
Content-Disposition header in conjunction with the 'suggested filename'
functionality.

Additionally unsafe behaviours have been found in wget and lwp-download in
case of HTTP 3xx redirections during file dowloading. The two applications
automatically use the URL's filename portion specified in the Location
header.

Implicitly trusting the suggested filenames results in a saved file that
differs from the expected one according to the URL specified by the user.
This can be used by a malicious attacker to silently write hidden and/or
initialization files under the user's current directory (e.g. .login,
.bashrc).

The impact of this vulnerability is increased in the case of lftp/lftpget
as the default configuration allows file overwrite without prompting
confirmation to the user. In case of lftp the get1 command is affected.
This command can be invoked directly by the user from lftp's command line
interface or indirectly by using the lftpget script, packaged within lftp
distribution.

Affected version:

lftp <= 4.0.5
wget <= 1.12
libwww-perl <= 5.834

Fixed version:

lftp >= 4.0.6
wget N/A
libwww-perl >= 5.835

Credit:

Vulnerability discovered and reported by Hank Leininger and Solar Designer
under the Openwall Project, with further analysis by Daniele Bianco of
oCERT.


MITRE has assigned the name CVE-2010-2253 to this issue.
Comment 1 Huzaifa S. Sidhpurwala 2010-09-22 04:08:10 EDT
Created attachment 448870 [details]
lwp-download patch

Patch from upstream:

commit 2f7ce2e0fc25c85806295142f9ec8d082c072c56
Author: Gisle Aas <gisle@aas.no>
Date:   Mon Feb 8 21:59:28 2010 +0100

lwp-download now needs the -s option to honor the Content-Disposition header
Comment 11 Huzaifa S. Sidhpurwala 2010-09-27 06:38:02 EDT
This issue is not planned to be fixed in Red Hat Certificate System v7.2 and 7.3 where only qualified security errata of critical impact are addressed.


http://www.redhat.com/security/updates/certificate/
Comment 13 Huzaifa S. Sidhpurwala 2010-09-27 08:38:45 EDT
lwp-download is a sample application shipped with perl-libwww-perl which is affected by this vulnerability. However the libwww perl library is not affected.

Perl scripts would use LWP library in order to download files, hence the scope of this vulnerability is limited to the sample script.
Comment 14 Huzaifa S. Sidhpurwala 2010-09-27 08:45:09 EDT
Created perl-libwww-perl tracking bugs for this issue

Affects: fedora-all [bug 637788]
Comment 15 Huzaifa S. Sidhpurwala 2010-09-27 08:59:05 EDT
This issue affects the versions of the perl-libwww-perl package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

--

This issue affects the versions of the perl-libwww-perl package, as shipped
with Fedora release of 12 and 13.
Comment 18 Huzaifa S. Sidhpurwala 2010-11-29 01:15:45 EST
Statement:

This issue affects the versions of the perl-libwww-perl package, as shipped
with Red Hat Enterprise Linux 4, 5 and 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Note You need to log in before you can comment on or make changes to this bug.