Tue Jul 19 02:41:23 2011: Request 69560 was acted upon.
Transaction: Correspondence added by RSCHUPP
Queue: PAR-Packer
Subject: PAR packed files are extracted to unsafe and predictable
temporary directories
Broken in: (no value)
Severity: Critical
Owner: Nobody
Requestors: [email protected]
Status: new
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=69560 >
On 2011-07-18 22:16:46, lightsey wrote:
> par_mktmpdir() makes no effort to verify that the /tmp/par-<username>
> directory is safe to use (owned by the correct UID and GID, not world
> writable, no symlinks in the path that are owned by another user.)
>
> This makes PAR packed scripts unsafe on multiuser systems.
Yawn. Where does it say that they are safe?
If you're really concerned about safety you should use
per-user temp directories, not for PAR::Packer, but in general.
Cheers, Roderich
