In perl.git, the branch release-5.23.8 has been updated <http://perl5.git.perl.org/perl.git/commitdiff/13b5d42b3c5c7d1f33dbcfea962884a8a4dd5e2b?hp=cfe0690614780fe6d14e397e3a88294368498d24>
- Log ----------------------------------------------------------------- commit 13b5d42b3c5c7d1f33dbcfea962884a8a4dd5e2b Author: Sawyer X <[email protected]> Date: Sat Feb 20 00:20:38 2016 +0100 Document e57270be442bfaa9dc23eebd67485e5a806b44e3: I wasn't sure where or how much of it to document, but it seems like it's important, and this relating to permissions not being removed, I consider it security-related. This is similiar to what the original Debian ticket that relates to it mentioned. I've cut Niko's text a bit shorter, taken from the commit message itself. ----------------------------------------------------------------------- Summary of changes: pod/perldelta.pod | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/pod/perldelta.pod b/pod/perldelta.pod index 56db871..fbe9a23 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -36,11 +36,18 @@ platform. =head1 Security -XXX Any security-related notices go here. In particular, any security -vulnerabilities closed should be noted here rather than in the -L</Selected Bug Fixes> section. +=head2 Set proper umask before calling C<mkstemp(3)> -[ List each security issue as a =head2 entry ] +In 5.22 perl started setting umask to 0600 before calling C<mkstemp(3)> +and restoring it afterwards. This wrongfully tells open(2) to strip +the owner read and write bits from the given mode before applying it, +rather than the intended negation of leaving only those bits in place. + +Systems that use mode 0666 in C<mkstemp(3)> (like old versions of +glibc) createa a file with permissions 0066, leaving world read and +write permissions regardless of current umask. + +This has been fixed by using umask 0177 instead. [perl #127322] =head1 Incompatible Changes -- Perl5 Master Repository
