oss-sec mailing list archives

CVE Request: CPAN perl module Data::UUID symlink attacks

From: Tim Retout <tim () retout co uk>
Date: Tue, 30 Jul 2013 22:36:17 +0100

Hi all,

The Perl module Data::UUID from CPAN is vulnerable to symlink attacks.
 This is a widely used Perl module for generating UUIDs.

Details are in the bug report on github:
https://github.com/rjbs/Data-UUID/issues/5

I believe all released versions are affected - I have confirmed the
issue against 1.219.

Regarding affected distributions, note that Debian and Fedora do not
ship Data::UUID from CPAN - they use OSSP's uuid.  However, at least
Arch and Gentoo seem to ship the CPAN version.

I've not previously requested a CVE id for this, it's an open source
request, and it's not embargoed.

Kind regards,

-- 
Tim Retout <tim () retout co uk>

Current thread:

CVE Request: CPAN perl module Data::UUID symlink attacks Tim Retout (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Salvatore Bonaccorso (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Kurt Seifried (Jul 31)