Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jul 2013 22:36:17 +0100
From: Tim Retout <tim@...out.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE Request: CPAN perl module Data::UUID symlink attacks

Hi all,

The Perl module Data::UUID from CPAN is vulnerable to symlink attacks.
 This is a widely used Perl module for generating UUIDs.

Details are in the bug report on github:
https://github.com/rjbs/Data-UUID/issues/5

I believe all released versions are affected - I have confirmed the
issue against 1.219.

Regarding affected distributions, note that Debian and Fedora do not
ship Data::UUID from CPAN - they use OSSP's uuid.  However, at least
Arch and Gentoo seem to ship the CPAN version.

I've not previously requested a CVE id for this, it's an open source
request, and it's not embargoed.

Kind regards,

-- 
Tim Retout <tim@...out.co.uk>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.