479370 – (CVE-2013-4184) <dev-perl/Data-UUID-1.227.0: Symlink attacks (CVE-2013-4184)

Bug 479370 (CVE-2013-4184) - <dev-perl/Data-UUID-1.227.0: Symlink attacks (CVE-2013-4184)

Summary: <dev-perl/Data-UUID-1.227.0: Symlink attacks (CVE-2013-4184)

Status:	RESOLVED FIXED

Alias:	CVE-2013-4184

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	933919
Blocks:
	Show dependency tree

Reported:	2013-08-01 08:53 UTC by Agostino Sarubbo
Modified:	2025-03-23 08:27 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/rjbs/Data-UUID/issues/5
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-08-01 08:53:43 UTC

From ${URL} :

The Perl module Data::UUID from CPAN is vulnerable to symlink attacks.
 This is a widely used Perl module for generating UUIDs.

Details are in the bug report on github:
https://github.com/rjbs/Data-UUID/issues/5

I believe all released versions are affected - I have confirmed the
issue against 1.219.

Regarding affected distributions, note that Debian and Fedora do not
ship Data::UUID from CPAN - they use OSSP's uuid.  However, at least
Arch and Gentoo seem to ship the CPAN version.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.

Comment 1 Andreas K. Hüttel archtester

2014-10-27 21:32:04 UTC

"Regarding affected distributions, note that Debian and Fedora do not
ship Data::UUID from CPAN - they use OSSP's uuid.  However, at least
Arch and Gentoo seem to ship the CPAN version."

I doubt that Data::UUID and ossp-uuid[perl] are interchangeable. 

Masking is also not an option yet since there is a chain of dependencies.

No patch has materialized.

Comment 2 Andreas K. Hüttel archtester

2017-01-20 22:13:25 UTC

No news from upstream.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-04-09 00:23:18 UTC

This is protected against by fs.protected_symlinks which is on by default in gentoo-sources that is security supported.

Comment 4 Sam James archtester

2024-04-30 01:38:14 UTC

A fix has appeared...

Comment 5 Larry the Git Cow gentoo-dev

2024-04-30 01:39:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=749667b8738e67580fae7c09f2c0e05410f4c3e1

commit 749667b8738e67580fae7c09f2c0e05410f4c3e1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-04-30 01:38:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-04-30 01:38:35 +0000

    dev-perl/Data-UUID: add 1.227.0
    
    Bug: https://bugs.gentoo.org/479370
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-perl/Data-UUID/Data-UUID-1.227.0.ebuild | 27 +++++++++++++++++++++++++++
 dev-perl/Data-UUID/Manifest                 |  1 +
 2 files changed, 28 insertions(+)

Comment 6 John Helmert III archtester

2025-03-23 08:27:20 UTC

commit 3b872833768a6a2a6665fcff31ded4060c7f59d0
Author: Matt Turner <mattst88@gentoo.org>
Date:   Sat Dec 21 08:32:19 2024 -0500

    dev-perl/Data-UUID: Drop old versions

    Signed-off-by: Matt Turner <mattst88@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-perl/Data-UUID/Data-UUID-1.226.0.ebuild | 31 -------------------------------
 dev-perl/Data-UUID/Manifest                 |  1 -
 2 files changed, 32 deletions(-)