oss-sec mailing list archives

Re: CVE Request: CPAN perl module Data::UUID symlink attacks

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 31 Jul 2013 07:53:41 +0200

Hi Tim,

On Tue, Jul 30, 2013 at 10:36:17PM +0100, Tim Retout wrote:

Hi all,

The Perl module Data::UUID from CPAN is vulnerable to symlink attacks.
 This is a widely used Perl module for generating UUIDs.

Details are in the bug report on github:
https://github.com/rjbs/Data-UUID/issues/5

I believe all released versions are affected - I have confirmed the
issue against 1.219.

Regarding affected distributions, note that Debian and Fedora do not
ship Data::UUID from CPAN - they use OSSP's uuid.  However, at least
Arch and Gentoo seem to ship the CPAN version.


Only a short comment on this: For Debian this will change as there is a
Intent to Package bugreport pending and package in NEW queue waiting
to be accepted into the archive.

 [1] http://bugs.debian.org/717315
 [2] http://ftp-master.debian.org/new.html

Regards,
Salvatore

Current thread:

CVE Request: CPAN perl module Data::UUID symlink attacks Tim Retout (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Salvatore Bonaccorso (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Kurt Seifried (Jul 31)