https://bugzilla.redhat.com/show_bug.cgi?id=2480875
--- Comment #4 from Michal Josef Spacek <[email protected]> --- There was accidental change from 6.02 to 6.02: 6.02 2026-05-21 14:45:27Z - WWW::RobotRules::AnyDBM_File::agent() no longer truncates the on-disk cache through an untie/tie(O_TRUNC) sequence. Stale-data reset now goes through the tied-hash CLEAR, eliminating a symlink-follow race that a local attacker with write access to the cache directory could exploit to overwrite arbitrary files writable by the crawler user. - The on-disk cache file mode has been tightened from 0640 to 0600. - t/rules-dbm.t has been hardened against symlink attacks on its tempfile during package builds. - A new SECURITY CONSIDERATIONS POD section documents the residual caller-trust requirement: the constructor's tie still follows symlinks because AnyDBM_File cannot portably plumb O_NOFOLLOW, so the caller must store the cache file in a directory writable only by the user that runs the code. - References: CWE-377, CWE-378, CWE-379. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2480875 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202480875%23c4 -- _______________________________________________ perl-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
