From ${URL} : It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files: ./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam(); This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module. This issue has been reported upstream [2], but has not yet been fixed. [1] http://seclists.org/oss-sec/2014/q1/267 [2] https://github.com/dagolden/Capture-Tiny/issues/16 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arches go ahead.
(In reply to Tim Harder from comment #1) > Arches go ahead. Please write a comment like this or similar: Arch teams, please test and mark stable: =dev-perl/Capture-Tiny-0.240.0 Targeted stable KEYWORDS : alpha amd64 hppa ia64 ppc ppc64 sparc x86 so that everyone instantly knows what it is you want.
Stable for HPPA.
alpha stable
ia64 stable
amd64 stable
x86 stable
sparc stable
ppc64 stable
ppc stable
Cleanup done. @Security, please vote. GLSA vote: no.
GLSA vote: no Closing as noglsa