Bug#737835: Capture::Tiny: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Thu Feb 6 11:52:21 UTC 2014
Package: libcapture-tiny-perl
Version: 0.23-1
Severity: important
Tags: security
$ strace -f -o '| grep -E open.*/tmp' perl test.pl
11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
The first temporary file is created securely, but the second open(2)
call lacks the O_EXCL flag. The vulnerable code appears to be:
# flag file is used to signal the child is ready
$stash->{flag_files}{$which} = scalar tmpnam();
The File::temp::tmpnam documentation reads: “When called in scalar
context, returns the full name (including path) of a temporary file
(uses mktemp()). The only check is that the file does not already exist,
but there is no guarantee that that condition will continue to apply.”
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libcapture-tiny-perl depends on:
ii perl 5.18.2-2
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.pl
Type: text/x-perl
Size: 124 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20140206/c39babe5/attachment-0001.pl>
More information about the pkg-perl-maintainers
mailing list