Hi Jakub Wilk reported the following insecure use of /tmp on the Debian BTS at [1].
[1] http://bugs.debian.org/737835 On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote: > $ strace -f -o '| grep -E open.*/tmp' perl test.pl > 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, > 0600) = 5 > 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3 > > The first temporary file is created securely, but the second open(2) > call lacks the O_EXCL flag. The vulnerable code appears to be: > > # flag file is used to signal the child is ready > $stash->{flag_files}{$which} = scalar tmpnam(); > > The File::temp::tmpnam documentation reads: “When called in scalar > context, returns the full name (including path) of a temporary file > (uses mktemp()). The only check is that the file does not already > exist, but there is no guarantee that that condition will continue > to apply.” There is no upstream commit to fix this issue yet. Could a CVE be assigned for this insecure use of /tmp for the Capture::Tiny module? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
