CVE-2010-2253

Publication date 6 July 2010

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Status

No maintained releases are affected by this CVE.

Package Ubuntu Release Status
libwww-perl 10.04 LTS lucid
Fixed 5.834-1ubuntu0.1
9.10 karmic
Fixed 5.831-1ubuntu0.1
9.04 jaunty
Fixed 5.820-1ubuntu0.1
8.04 LTS hardy
Fixed 5.808-1ubuntu0.1
6.06 LTS dapper
Fixed 5.803-4ubuntu0.1

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libwww-perl

References

Related Ubuntu Security Notices (USN)

    • USN-981-1
    • libwww-perl vulnerability
    • 31 August 2010

Other references