CVE Request: Capture::Tiny: insecure use of /tmp

[Salvatore Bonaccorso <carnil () debian org>]

Hi

Jakub Wilk reported the following insecure use of /tmp on the Debian
BTS at [1].

 [1] http://bugs.debian.org/737835
 
On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:
> $ strace -f -o '| grep -E open.*/tmp' perl test.pl
> 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
> 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
>
> The first temporary file is created securely, but the second open(2)
> call lacks the O_EXCL flag. The vulnerable code appears to be:
>
>   # flag file is used to signal the child is ready
>   $stash->{flag_files}{$which} = scalar tmpnam();
>
> The File::temp::tmpnam documentation reads: “When called in scalar
> context, returns the full name (including path) of a temporary file
> (uses mktemp()). The only check is that the file does not already
> exist, but there is no guarantee that that condition will continue
> to apply.”

There is no upstream commit to fix this issue yet.

Could a CVE be assigned for this insecure use of /tmp for the
Capture::Tiny module?

Regards,
Salvatore