GLSA
Bodhisattva
Joined: 25 Feb 2003
Posts: 3829
Location: Essen, Germany
|
 Posted: Tue Dec 07, 2004 7:09 am Post subject: [ GLSA 200412-04 ] Perl: Insecure temporary file creation |
 |
|
Gentoo Linux Security Advisory
Title: Perl: Insecure temporary file creation (GLSA 200412-04)
Severity: normal
Exploitable: local
Date: December 07, 2004
Bug(s): #66360
ID: 200412-04
Synopsis
Perl is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files.
Background
Perl is a stable, cross-platform programming language created by
Larry Wall.
Affected Packages
Package: dev-lang/perl
Vulnerable: < 5.8.5-r2
Vulnerable: = 5.8.6
Unaffected: >= 5.8.5-r2 < 5.8.6
Unaffected: >= 5.8.6-r1
Architectures: All supported architectures
Description
Some Perl modules create temporary files in world-writable
directories with predictable names.
Impact
A local attacker could create symbolic links in the temporary
files directory, pointing to a valid file somewhere on the filesystem.
When a Perl script is executed, this would result in the file being
overwritten with the rights of the user running the utility, which
could be the root user.
Workaround
There is no known workaround at this time.
Resolution
All Perl users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=perl-5.8.5-r2" |
References
CAN-2004-0976
Trustix Advisory #2004-0050
Last edited by GLSA on Fri Apr 09, 2010 4:18 am; edited 3 times in total |
|
News & Announcements
