On Fri, 07 Mar 2014, Don Armstrong wrote: > On Tue, 04 Mar 2014, Murray McAllister wrote: > > Jakub Wilk and Don Armstrong are discussing in > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy > > creating a temporary file with default permissions instead of 0600 > > 2) the use of tmpnam(). > > The following trivial patch fixes this issue by just using File::Temp > instead: > > http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670 > > I'm currently preparing an upload which will resolve this issue for > Debian in unstable and testing; I'm not certain if it necessitates a CVE > or security update in stable, but if anyone feels that way, I don't mind > preparing one.
I just wanted to draw your attention to this patch; it fixes the insecure tmpnam and temporary file creation by using File::Temp::tempfile. A CVE has been given, https://security-tracker.debian.org/tracker/CVE-2014-2277 -- Don Armstrong http://www.donarmstrong.com If I had a letter, sealed it in a locked vault and hid the vault somewhere in New York. Then told you to read the letter, thats not security, thats obscurity. If I made a letter, sealed it in a vault, gave you the blueprints of the vault, the combinations of 1000 other vaults, access to the best lock smiths in the world, then told you to read the letter, and you still can't, thats security. -- Bruce Schneier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
