From the upstream bug at $URL: Description: As user "attacker": ln -s /tmp /tmp/exploit As user "victim": perl -MFile::Temp -e 'File::Temp->safe_level(File::Temp::HIGH); print File::Temp::tempdir("/tmp/exploit/meXXXX") . "\n";' The temporary directory path that is returned includes the symlink owned by the "attacker" user. Solution: https://rt.cpan.org/Ticket/Attachment/949904/493927/symlink-safety.patch
Stalled upstream. @maintainers: please apply the patch.
This is fixed in virtual/perl-File-Temp-0.230.0-r1 perl-core/File-Temp-0.230.0 virtual/perl-File-Temp-0.230.400-r2 perl-core/File-Temp-0.230.400-r1 Note that we have to keep carrying the patches.
Arches please stabilize: virtual/perl-File-Temp-0.230.0-r1 perl-core/File-Temp-0.230.0 dev-lang/perl-5.18.2-r2 Target: all stable arches [The only change in the dev-lang/perl ebuild is the addition of a PDEPEND to ensure that the perl-core package is installed.]
amd64 stable
x86 stable
All three stable on alpha.
Stable for HPPA.
ppc stable
ppc64 stable
ia64 stable
sparc stable
all are stable now
Old versions removed. Perl out.
(In reply to SpanKY from comment #12) > all are stable now (In reply to Andreas K. Hüttel from comment #13) > Old versions removed. Perl out. Old version restored since arm stabilization was missing. arm please stabilize: virtual/perl-File-Temp-0.230.0-r1 perl-core/File-Temp-0.230.0 dev-lang/perl-5.18.2-r2
arm stable, all arches done.
GLSA vote: no.
GLSA vote: no, too. Closing noglsa.