oss-security - Re: CVE Request: CPAN perl module Data::UUID symlink attacks

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Wed, 31 Jul 2013 07:53:41 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: CPAN perl module Data::UUID symlink
 attacks

Hi Tim,

On Tue, Jul 30, 2013 at 10:36:17PM +0100, Tim Retout wrote:
> Hi all,
> 
> The Perl module Data::UUID from CPAN is vulnerable to symlink attacks.
>  This is a widely used Perl module for generating UUIDs.
> 
> Details are in the bug report on github:
> https://github.com/rjbs/Data-UUID/issues/5
> 
> I believe all released versions are affected - I have confirmed the
> issue against 1.219.
> 
> Regarding affected distributions, note that Debian and Fedora do not
> ship Data::UUID from CPAN - they use OSSP's uuid.  However, at least
> Arch and Gentoo seem to ship the CPAN version.

Only a short comment on this: For Debian this will change as there is a
Intent to Package bugreport pending and package in NEW queue waiting
to be accepted into the archive.

 [1] http://bugs.debian.org/717315
 [2] http://ftp-master.debian.org/new.html

Regards,
Salvatore

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.