Don, Thanks, I will put it in the next release. Steve On Monday, March 10, 2014, Don Armstrong <d...@debian.org> wrote:
> On Fri, 07 Mar 2014, Don Armstrong wrote: > > On Tue, 04 Mar 2014, Murray McAllister wrote: > > > Jakub Wilk and Don Armstrong are discussing in > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy > > > creating a temporary file with default permissions instead of 0600 > > > 2) the use of tmpnam(). > > > > The following trivial patch fixes this issue by just using File::Temp > > instead: > > > > > http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670 > > > > I'm currently preparing an upload which will resolve this issue for > > Debian in unstable and testing; I'm not certain if it necessitates a CVE > > or security update in stable, but if anyone feels that way, I don't mind > > preparing one. > > I just wanted to draw your attention to this patch; it fixes the > insecure tmpnam and temporary file creation by using > File::Temp::tempfile. A CVE has been given, > https://security-tracker.debian.org/tracker/CVE-2014-2277 > > > -- > Don Armstrong http://www.donarmstrong.com > > If I had a letter, sealed it in a locked vault and hid the vault > somewhere in New York. Then told you to read the letter, thats not > security, thats obscurity. If I made a letter, sealed it in a vault, > gave you the blueprints of the vault, the combinations of 1000 other > vaults, access to the best lock smiths in the world, then told you to > read the letter, and you still can't, thats security. > -- Bruce Schneier >
