Bug#737835: CVE Request: Capture::Tiny: insecure use of /tmp
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 6 16:04:09 UTC 2014
Hi
Jakub Wilk reported the following insecure use of /tmp on the Debian
BTS at [1].
[1] http://bugs.debian.org/737835
On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:
> $ strace -f -o '| grep -E open.*/tmp' perl test.pl
> 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
> 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
>
> The first temporary file is created securely, but the second open(2)
> call lacks the O_EXCL flag. The vulnerable code appears to be:
>
> # flag file is used to signal the child is ready
> $stash->{flag_files}{$which} = scalar tmpnam();
>
> The File::temp::tmpnam documentation reads: “When called in scalar
> context, returns the full name (including path) of a temporary file
> (uses mktemp()). The only check is that the file does not already
> exist, but there is no guarantee that that condition will continue
> to apply.”
There is no upstream commit to fix this issue yet.
Could a CVE be assigned for this insecure use of /tmp for the
Capture::Tiny module?
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list