Bug#671255: CVE-2012-2451: CWE-377 Insecure Temporary File
Adam D. Barratt
adam at adam-barratt.org.uk
Sun May 6 21:13:05 UTC 2012
On Sun, 2012-05-06 at 22:48 +0200, Cyril Brulebois wrote:
> gregor herrmann <gregoa at debian.org> (06/05/2012):
> > Attached is a backport of the fix for squeeze; reviews welcome.
> >
> > Dear security and release teams: Please advise on how to proceed;
> > does s-p-u sound right for this isse?
>
> I'm happy to take it for s-p-u, but the merge window is supposed to
> close this weekend. Given the fix looks pretty straightforward, I think
> I'd take it even if that's a little late. Adam, do you concur?
It is closing this weekend, although the exact definition may depend on
when I wake up tomorrow :) (given that it's a public holiday)
I'm a little torn here. The fix is indeed small and straight-forward,
but:
> (No error handling when doing I/O? Bad. But oh well, using tempfile
> makes it look better anyway.)
Specifically, a loss of error handling. The original version at least
let the caller gracefully handle the failure, whereas the new version is
technically an API change in that the function is defined as returning
undef in the case of failure and no longer does if creating the
temporary file fails; I'm not sure how well the (several) r-deps in the
archive will handle that.
Regards,
Adam
More information about the pkg-perl-maintainers
mailing list