Mandriva Linux Security Advisory 2010-167 – lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a. character, which allows remote servers to create or overwrite files via a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/93382/MDVSA-2010-167.txt
Source: https://packetstormsecurity.com/files/93382/Mandriva-Linux-Security-Advisory-2010-167.html