Summary: | <dev-perl/Config-IniFiles-2.710.0 : Insecure Temporary File Security Issue (CVE-2012-2451) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/48990/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-05-03 14:56:04 UTC
@maintainer, ok to stabilize it? Yes Thanks. Arches, please test and mark stable: =dev-perl/Config-IniFiles-2.710.0 Target KEYWORDS : "alpha amd64 ia64 ppc sparc x86" Builds fine on x86. Rdeps build fine as well. Please mark stable for x86. amd64 stable x86 stable, thanks Myckel! Stable on alpha. ia64/sparc keywords dropped ppc done Thanks, everyone. GLSA vote: yes. Vote yes too. New GLSA request filed. CVE-2012-2451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2451): The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. NOTE: some of these details are obtained from third party information. NOTE: it has been reported that this might only be exploitable by writing in the same directory as the .ini file. If this is the case, then this issue might not cross privilege boundaries. This issue was resolved and addressed in GLSA 201208-05 at http://security.gentoo.org/glsa/glsa-201208-05.xml by GLSA coordinator Sean Amoss (ackle). |