Re: CVE Request: CPAN perl module Data::UUID symlink attacks

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/30/2013 03:36 PM, Tim Retout wrote:
> Hi all,
>
> The Perl module Data::UUID from CPAN is vulnerable to symlink
> attacks. This is a widely used Perl module for generating UUIDs.
>
> Details are in the bug report on github: 
> https://github.com/rjbs/Data-UUID/issues/5
>
> I believe all released versions are affected - I have confirmed
> the issue against 1.219.
>
> Regarding affected distributions, note that Debian and Fedora do
> not ship Data::UUID from CPAN - they use OSSP's uuid.  However, at
> least Arch and Gentoo seem to ship the CPAN version.
>
> I've not previously requested a CVE id for this, it's an open
> source request, and it's not embargoed.
>
> Kind regards,

Please use CVE-2013-4184 for this issue. Not all Linux's have that sysctl.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR+Mb9AAoJEBYNRVNeJnmTB9IP/0iZKeYYiUQZD/1wZCY4fuRo
Hc8LKA5c0vuTLGGZ/EgLLZ8184r34UbODdhS2oNBCTWkqFZXgu48vyyrSWuUAZYj
sZNz78Cq6wJ0Uq6db61hX7044FfEEB3Ch4oMWrtqey0WXvvR/yRZYzND6PdFcCVp
0b3YrcP+Ls8+j9hrwKpwdDZox2V5Xq/MR12jrjixlbgHUXeOpo1uicu1yo72SG3o
5GUeTPl4vhN5mOQ+yU1tihT6c5GfDHFSOjnLQ6qQriJs15o/xXV9SZpstNdhACGe
Qt+CBC0OK/dsEnrFgXk1rOHm8VUXR1cWVcgQfCNs3kqUih7wqLzREomjM1Ulhuwm
0iM00bmSr3UhxoAU7yxOW+12/xhYdkruUqDd05cRxz+63fJIZUiDywJTU4VW2YPq
29J9es2zmz4AkGiV+A9wdQANAeyZsTavRFjtaenzopAJteJv0p56fTvqkKALup/L
RhopNAe5mp27xlKttdth3yeni+EcOmiK5QmwyaJLdX7ySXlHAvSoKXgD02TfzEOA
Lbglf1x4cwj4TG9SZrdrinbCRQ4UfcTAMXOOeaxsSdk2h20xhh54Ga1ldKRGtn1v
77Q9xfy9okXccju5Xz/Fexq0SPLj/xa3yIhydnbvAf/aiOL2nCA6RrLlZiP2mrDQ
3+f3R9iu5+q4J5Nwjbeh
=y5hD
-----END PGP SIGNATURE-----