Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140308023940.GZ22749@teltox.donarmstrong.com>
Date: Fri, 7 Mar 2014 18:39:40 -0800
From: Don Armstrong <don@...ian.org>
To: mmcallis@...hat.com, 740670@...s.debian.org
Cc: oss-security@...ts.openwall.com, Jakub Wilk <jwilk@...ian.org>
Subject: Re: Bug#740670: possible CVE requests: perltidy insecure temporary
 file usage

On Tue, 04 Mar 2014, Murray McAllister wrote:
> Jakub Wilk and Don Armstrong are discussing in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy
> creating a temporary file with default permissions instead of 0600
> 2) the use of tmpnam().

The following trivial patch fixes this issue by just using File::Temp
instead:

http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670
 
I'm currently preparing an upload which will resolve this issue for
Debian in unstable and testing; I'm not certain if it necessitates a CVE
or security update in stable, but if anyone feels that way, I don't mind
preparing one.

-- 
Don Armstrong                      http://www.donarmstrong.com

listen, what you do in the privacy
of your neighbour's house while they're away
is your own business
 -- a softer world #511
    http://www.asofterworld.com/index.php?id=511

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.