oss-sec mailing list archives
CVE Request: Clipboard Perl module: clipedit: insecure use of temporary files
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 29 Aug 2014 18:39:29 +0200
Hi The Clipboard Perl module distribution [1] ships a small script 'clipedit' which insecurely uses temporary files by using the pid of the process in the used filename in /tmp[2]. The affected code looks like: [...] 7 my $tmpfilename = "/tmp/clipedit$$"; 8 open my $tmpfile, ">$tmpfilename" or die "Failure to open $tmpfilename: $!"; 9 print $tmpfile $orig; 10 close $tmpfile; [...] 13 system($ed, $tmpfilename); 14 15 open $tmpfile, $tmpfilename or die "Failure to open $tmpfilename: $!"; 16 my $edited = join '', <$tmpfile>; [...] 49 unlink($tmpfilename) or die "Couldn't remove $tmpfilename: $!"; Could you assing a CVE for this issue? [1] https://metacpan.org/release/Clipboard [2] https://rt.cpan.org/Ticket/Display.html?id=98435 Regards, Salvatore
Current thread:
- CVE Request: Clipboard Perl module: clipedit: insecure use of temporary files Salvatore Bonaccorso (Aug 29)