oss-sec mailing list archives
CVE Request: CPAN perl module Data::UUID symlink attacks
From: Tim Retout <tim () retout co uk>
Date: Tue, 30 Jul 2013 22:36:17 +0100
Hi all, The Perl module Data::UUID from CPAN is vulnerable to symlink attacks. This is a widely used Perl module for generating UUIDs. Details are in the bug report on github: https://github.com/rjbs/Data-UUID/issues/5 I believe all released versions are affected - I have confirmed the issue against 1.219. Regarding affected distributions, note that Debian and Fedora do not ship Data::UUID from CPAN - they use OSSP's uuid. However, at least Arch and Gentoo seem to ship the CPAN version. I've not previously requested a CVE id for this, it's an open source request, and it's not embargoed. Kind regards, -- Tim Retout <tim () retout co uk>
Current thread:
- CVE Request: CPAN perl module Data::UUID symlink attacks Tim Retout (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Salvatore Bonaccorso (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Kurt Seifried (Jul 31)