libwww-perl: Multiple vulnerabilities — GLSA 201402-04

Multiple vulnerabilities have been found in libwww-perl, the worst of which could allow attackers to execute arbitrary code.

Affected packages

dev-perl/libwww-perl on all architectures
Affected versions < 6.30.0
Unaffected versions >= 6.30.0

Background

libwww is a collection of Perl modules providing a consistent interface to the World-Wide Web.

Description

Multiple vulnerabilities have been discovered in libwww-perl. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could entice a user to download a specially-crafted file with an application linked against libwww-perl, which could result in overwritten files or arbitrary code execution by writing to a dotfile in the user’s home directory (such as .bashrc). Additionally, a remote attacker could perform a Man-in-the-Middle attack.

Workaround

There is no known workaround at this time.

Resolution

All libwww-perl users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-perl/libwww-perl-6.30.0"
 

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since December 18, 2011. It is likely that your system is already no longer affected by this issue.

References

Release date
February 04, 2014

Latest revision
February 04, 2014: 1

Severity
normal

Exploitable
remote

Bugzilla entries