oss-sec mailing list archives
Re: CVE Request: CPAN perl module Data::UUID symlink attacks
From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 31 Jul 2013 07:53:41 +0200
Hi Tim, On Tue, Jul 30, 2013 at 10:36:17PM +0100, Tim Retout wrote:
Hi all, The Perl module Data::UUID from CPAN is vulnerable to symlink attacks. This is a widely used Perl module for generating UUIDs. Details are in the bug report on github: https://github.com/rjbs/Data-UUID/issues/5 I believe all released versions are affected - I have confirmed the issue against 1.219. Regarding affected distributions, note that Debian and Fedora do not ship Data::UUID from CPAN - they use OSSP's uuid. However, at least Arch and Gentoo seem to ship the CPAN version.
Only a short comment on this: For Debian this will change as there is a Intent to Package bugreport pending and package in NEW queue waiting to be accepted into the archive. [1] http://bugs.debian.org/717315 [2] http://ftp-master.debian.org/new.html Regards, Salvatore
Current thread:
- CVE Request: CPAN perl module Data::UUID symlink attacks Tim Retout (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Salvatore Bonaccorso (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Kurt Seifried (Jul 31)