Bug#740670: Info received (Bug#740670: possible CVE requests: perltidy insecure temporary file usage)

2014-03-28 Thread Steven Hancock
This patch is in version 20140328 at CPAN. On Mon, Mar 10, 2014 at 2:48 PM, Debian Bug Tracking System ow...@bugs.debian.org wrote: Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message

Bug#740670: Info received (Bug#740670: possible CVE requests: perltidy insecure temporary file usage)

2014-03-28 Thread Don Armstrong
Control: tag -1 fixed-upstream On Fri, 28 Mar 2014, Steven Hancock wrote: This patch is in version 20140328 at CPAN. Awesome. Thanks Steven! I'll get this packaged for Debian shortly. -- Don Armstrong http://www.donarmstrong.com One disk to rule them all, One disk to

Bug#740670: possible CVE requests: perltidy insecure temporary file usage

2014-03-10 Thread Don Armstrong
On Fri, 07 Mar 2014, Don Armstrong wrote: On Tue, 04 Mar 2014, Murray McAllister wrote: Jakub Wilk and Don Armstrong are discussing in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy creating a temporary file with default permissions instead of 0600 2) the use of

Bug#740670: possible CVE requests: perltidy insecure temporary file usage

2014-03-10 Thread Steven Hancock
Don, Thanks, I will put it in the next release. Steve On Monday, March 10, 2014, Don Armstrong d...@debian.org wrote: On Fri, 07 Mar 2014, Don Armstrong wrote: On Tue, 04 Mar 2014, Murray McAllister wrote: Jakub Wilk and Don Armstrong are discussing in

Bug#740670: possible CVE requests: perltidy insecure temporary file usage

2014-03-08 Thread cve-assign
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Use CVE-2014-2277 for the issue in which, on all platforms, the filename string returned by make_temporary_filename might be used for an attacker's symlink before that filename is used by the perltidy code to write lines into a file. $^O =~

Bug#740670: possible CVE requests: perltidy insecure temporary file usage

2014-03-07 Thread Don Armstrong
On Tue, 04 Mar 2014, Murray McAllister wrote: Jakub Wilk and Don Armstrong are discussing in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy creating a temporary file with default permissions instead of 0600 2) the use of tmpnam(). The following trivial patch fixes this

Bug#740670: possible CVE requests: perltidy insecure temporary file usage

2014-03-07 Thread Salvatore Bonaccorso
Hi Don (dropping oss-security, as Debian specific discussion should not go to the list there, keeping Murray): On Fri, Mar 07, 2014 at 06:39:40PM -0800, Don Armstrong wrote: On Tue, 04 Mar 2014, Murray McAllister wrote: Jakub Wilk and Don Armstrong are discussing in

Bug#740670: possible CVE requests: perltidy insecure temporary file usage

2014-03-03 Thread Murray McAllister
Good morning, Jakub Wilk and Don Armstrong are discussing in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy creating a temporary file with default permissions instead of 0600 2) the use of tmpnam(). From that bug: my $name = perltidy.TMP; if ( $^O =~