oss-sec mailing list archives
Re: Bug#740670: possible CVE requests: perltidy insecure temporary file usage
From: Don Armstrong <don () debian org>
Date: Fri, 7 Mar 2014 18:39:40 -0800
On Tue, 04 Mar 2014, Murray McAllister wrote:
Jakub Wilk and Don Armstrong are discussing in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy creating a temporary file with default permissions instead of 0600 2) the use of tmpnam().
The following trivial patch fixes this issue by just using File::Temp instead: http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670 I'm currently preparing an upload which will resolve this issue for Debian in unstable and testing; I'm not certain if it necessitates a CVE or security update in stable, but if anyone feels that way, I don't mind preparing one. -- Don Armstrong http://www.donarmstrong.com listen, what you do in the privacy of your neighbour's house while they're away is your own business -- a softer world #511 http://www.asofterworld.com/index.php?id=511
Current thread:
- possible CVE requests: perltidy insecure temporary file usage Murray McAllister (Mar 03)
- Re: Bug#740670: possible CVE requests: perltidy insecure temporary file usage Don Armstrong (Mar 07)
- Re: possible CVE requests: perltidy insecure temporary file usage cve-assign (Mar 08)
- Re: Re: possible CVE requests: perltidy insecure temporary file usage Murray McAllister (Mar 10)