Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Feb 2014 17:04:09 +0100
From: Salvatore Bonaccorso <>
Cc: Jakub Wilk <>,
Subject: CVE Request: Capture::Tiny: insecure use of /tmp


Jakub Wilk reported the following insecure use of /tmp on the Debian
BTS at [1].

On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:
> $ strace -f -o '| grep -E open.*/tmp' perl
> 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
> 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
> The first temporary file is created securely, but the second open(2)
> call lacks the O_EXCL flag. The vulnerable code appears to be:
>   # flag file is used to signal the child is ready
>   $stash->{flag_files}{$which} = scalar tmpnam();
> The File::temp::tmpnam documentation reads: “When called in scalar
> context, returns the full name (including path) of a temporary file
> (uses mktemp()). The only check is that the file does not already
> exist, but there is no guarantee that that condition will continue
> to apply.”

There is no upstream commit to fix this issue yet.

Could a CVE be assigned for this insecure use of /tmp for the
Capture::Tiny module?


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.