Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 414485 (CVE-2012-2451) - <dev-perl/Config-IniFiles-2.710.0 : Insecure Temporary File Security Issue (CVE-2012-2451)
Summary: <dev-perl/Config-IniFiles-2.710.0 : Insecure Temporary File Security Issue (...
Alias: CVE-2012-2451
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2012-05-03 14:56 UTC by Agostino Sarubbo
Modified: 2012-08-14 21:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-05-03 14:56:04 UTC
From secunia advisory at $URL:

A security issue has been reported in the Config::IniFiles module for Perl, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the application using a temporary file in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in versions prior to 2.71.

Update to version 2.71.
Comment 1 Agostino Sarubbo gentoo-dev 2012-05-03 14:56:26 UTC
@maintainer, ok to stabilize it?
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2012-05-03 15:41:21 UTC
Comment 3 Agostino Sarubbo gentoo-dev 2012-05-03 16:08:24 UTC

Arches, please test and mark stable:
Target KEYWORDS : "alpha amd64 ia64 ppc sparc x86"
Comment 4 Myckel Habets 2012-05-04 22:41:01 UTC
Builds fine on x86. Rdeps build fine as well. Please mark stable for x86.
Comment 5 Agostino Sarubbo gentoo-dev 2012-05-06 12:18:50 UTC
amd64 stable
Comment 6 Andreas Schürch gentoo-dev 2012-05-06 18:02:32 UTC
x86 stable, thanks Myckel!
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2012-05-12 12:50:56 UTC
Stable on alpha.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-05-12 16:33:04 UTC
ia64/sparc keywords dropped
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-05-21 17:29:03 UTC
ppc done
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-22 20:18:54 UTC
Thanks, everyone.

GLSA vote: yes.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-05-23 02:55:59 UTC
Vote yes too. New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 21:20:29 UTC
CVE-2012-2451 (
  The Config::IniFiles module before 2.71 for Perl creates temporary files
  with predictable names, which allows local users to overwrite arbitrary
  files via a symlink attack.  NOTE: some of these details are obtained from
  third party information.  NOTE: it has been reported that this might only be
  exploitable by writing in the same directory as the .ini file. If this is
  the case, then this issue might not cross privilege boundaries.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 21:23:45 UTC
This issue was resolved and addressed in
 GLSA 201208-05 at
by GLSA coordinator Sean Amoss (ackle).