Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Aug 2014 18:39:29 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>,
	Ryan King <rking@...optic.com>
Subject: CVE Request: Clipboard Perl module: clipedit: insecure use of
 temporary files

Hi

The Clipboard Perl module distribution [1] ships a small script
'clipedit' which insecurely uses temporary files by using the pid of
the process in the used filename in /tmp[2]. The affected code looks
like:

 [...]
  7 my $tmpfilename = "/tmp/clipedit$$";  
  8 open my $tmpfile, ">$tmpfilename" or die "Failure to open $tmpfilename: $!";  
  9 print $tmpfile $orig;  
 10 close $tmpfile;
 [...]
 13 system($ed, $tmpfilename);  
 14   
 15 open $tmpfile, $tmpfilename or die "Failure to open $tmpfilename: $!";
 16 my $edited = join '', <$tmpfile>;
 [...]
 49 unlink($tmpfilename) or die "Couldn't remove $tmpfilename: $!";

Could you assing a CVE for this issue?

 [1] https://metacpan.org/release/Clipboard
 [2] https://rt.cpan.org/Ticket/Display.html?id=98435

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ