oss-security - Re: Bug#740670: possible CVE requests: perltidy insecure temporary file usage

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20140308023940.GZ22749@teltox.donarmstrong.com>
Date: Fri, 7 Mar 2014 18:39:40 -0800
From: Don Armstrong <don@...ian.org>
To: mmcallis@...hat.com, 740670@...s.debian.org
Cc: oss-security@...ts.openwall.com, Jakub Wilk <jwilk@...ian.org>
Subject: Re: Bug#740670: possible CVE requests: perltidy insecure temporary
 file usage

On Tue, 04 Mar 2014, Murray McAllister wrote:
> Jakub Wilk and Don Armstrong are discussing in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy
> creating a temporary file with default permissions instead of 0600
> 2) the use of tmpnam().

The following trivial patch fixes this issue by just using File::Temp
instead:

http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670
 
I'm currently preparing an upload which will resolve this issue for
Debian in unstable and testing; I'm not certain if it necessitates a CVE
or security update in stable, but if anyone feels that way, I don't mind
preparing one.

-- 
Don Armstrong                      http://www.donarmstrong.com

listen, what you do in the privacy
of your neighbour's house while they're away
is your own business
 -- a softer world #511
    http://www.asofterworld.com/index.php?id=511

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.