oss-sec mailing list archives
CVE Request: Capture::Tiny: insecure use of /tmp
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 6 Feb 2014 17:04:09 +0100
Hi Jakub Wilk reported the following insecure use of /tmp on the Debian BTS at [1]. [1] http://bugs.debian.org/737835 On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:
$ strace -f -o '| grep -E open.*/tmp' perl test.pl 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3 The first temporary file is created securely, but the second open(2) call lacks the O_EXCL flag. The vulnerable code appears to be: # flag file is used to signal the child is ready $stash->{flag_files}{$which} = scalar tmpnam(); The File::temp::tmpnam documentation reads: “When called in scalar context, returns the full name (including path) of a temporary file (uses mktemp()). The only check is that the file does not already exist, but there is no guarantee that that condition will continue to apply.”
There is no upstream commit to fix this issue yet. Could a CVE be assigned for this insecure use of /tmp for the Capture::Tiny module? Regards, Salvatore
Current thread:
- CVE Request: Capture::Tiny: insecure use of /tmp Salvatore Bonaccorso (Feb 06)
- Re: CVE Request: Capture::Tiny: insecure use of /tmp cve-assign (Feb 06)