PublicDateAtUSN: 2010-07-06
Candidate: CVE-2010-2253
PublicDate: 2010-07-06 17:17:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2253
 http://www.ocert.org/advisories/ocert-2010-001.html
 https://ubuntu.com/security/notices/USN-981-1
Description:
 lwp-download in libwww-perl before 5.835 does not reject downloads to
 filenames that begin with a . (dot) character, which allows remote servers
 to create or overwrite files via (1) a 3xx redirect to a URL with a crafted
 filename or (2) a Content-Disposition header that suggests a crafted
 filename, and possibly execute arbitrary code as a consequence of writing
 to a dotfile in a home directory.
Ubuntu-Description:
Notes:
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=602800
 https://bugzilla.redhat.com/show_bug.cgi?id=591580
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_libwww-perl:
 upstream: http://github.com/gisle/libwww-perl/commit/f97f339f552666ef79cdd2cf2a44032cf206bb6e
upstream_libwww-perl: released (5.835)
dapper_libwww-perl: released (5.803-4ubuntu0.1)
hardy_libwww-perl: released (5.808-1ubuntu0.1)
jaunty_libwww-perl: released (5.820-1ubuntu0.1)
karmic_libwww-perl: released (5.831-1ubuntu0.1)
lucid_libwww-perl: released (5.834-1ubuntu0.1)
devel_libwww-perl: not-affected (5.836-1)