oss-sec mailing list archives
Re: CVE Request: CPAN perl module Data::UUID symlink attacks
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 31 Jul 2013 02:12:45 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/30/2013 03:36 PM, Tim Retout wrote:
Hi all, The Perl module Data::UUID from CPAN is vulnerable to symlink attacks. This is a widely used Perl module for generating UUIDs. Details are in the bug report on github: https://github.com/rjbs/Data-UUID/issues/5 I believe all released versions are affected - I have confirmed the issue against 1.219. Regarding affected distributions, note that Debian and Fedora do not ship Data::UUID from CPAN - they use OSSP's uuid. However, at least Arch and Gentoo seem to ship the CPAN version. I've not previously requested a CVE id for this, it's an open source request, and it's not embargoed. Kind regards,
Please use CVE-2013-4184 for this issue. Not all Linux's have that sysctl. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR+Mb9AAoJEBYNRVNeJnmTB9IP/0iZKeYYiUQZD/1wZCY4fuRo Hc8LKA5c0vuTLGGZ/EgLLZ8184r34UbODdhS2oNBCTWkqFZXgu48vyyrSWuUAZYj sZNz78Cq6wJ0Uq6db61hX7044FfEEB3Ch4oMWrtqey0WXvvR/yRZYzND6PdFcCVp 0b3YrcP+Ls8+j9hrwKpwdDZox2V5Xq/MR12jrjixlbgHUXeOpo1uicu1yo72SG3o 5GUeTPl4vhN5mOQ+yU1tihT6c5GfDHFSOjnLQ6qQriJs15o/xXV9SZpstNdhACGe Qt+CBC0OK/dsEnrFgXk1rOHm8VUXR1cWVcgQfCNs3kqUih7wqLzREomjM1Ulhuwm 0iM00bmSr3UhxoAU7yxOW+12/xhYdkruUqDd05cRxz+63fJIZUiDywJTU4VW2YPq 29J9es2zmz4AkGiV+A9wdQANAeyZsTavRFjtaenzopAJteJv0p56fTvqkKALup/L RhopNAe5mp27xlKttdth3yeni+EcOmiK5QmwyaJLdX7ySXlHAvSoKXgD02TfzEOA Lbglf1x4cwj4TG9SZrdrinbCRQ4UfcTAMXOOeaxsSdk2h20xhh54Ga1ldKRGtn1v 77Q9xfy9okXccju5Xz/Fexq0SPLj/xa3yIhydnbvAf/aiOL2nCA6RrLlZiP2mrDQ 3+f3R9iu5+q4J5Nwjbeh =y5hD -----END PGP SIGNATURE-----
Current thread:
- CVE Request: CPAN perl module Data::UUID symlink attacks Tim Retout (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Salvatore Bonaccorso (Jul 30)
- Re: CVE Request: CPAN perl module Data::UUID symlink attacks Kurt Seifried (Jul 31)