Re: Bug#740670: possible CVE requests: perltidy insecure temporary file usage

[Don Armstrong <don () debian org>]

On Tue, 04 Mar 2014, Murray McAllister wrote:
> Jakub Wilk and Don Armstrong are discussing in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy
> creating a temporary file with default permissions instead of 0600
> 2) the use of tmpnam().

The following trivial patch fixes this issue by just using File::Temp
instead:

http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670
 
I'm currently preparing an upload which will resolve this issue for
Debian in unstable and testing; I'm not certain if it necessitates a CVE
or security update in stable, but if anyone feels that way, I don't mind
preparing one.

-- 
Don Armstrong                      http://www.donarmstrong.com

listen, what you do in the privacy
of your neighbour's house while they're away
is your own business
 -- a softer world #511
    http://www.asofterworld.com/index.php?id=511