From ${URL} : The Perl module Data::UUID from CPAN is vulnerable to symlink attacks. This is a widely used Perl module for generating UUIDs. Details are in the bug report on github: https://github.com/rjbs/Data-UUID/issues/5 I believe all released versions are affected - I have confirmed the issue against 1.219. Regarding affected distributions, note that Debian and Fedora do not ship Data::UUID from CPAN - they use OSSP's uuid. However, at least Arch and Gentoo seem to ship the CPAN version. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
"Regarding affected distributions, note that Debian and Fedora do not ship Data::UUID from CPAN - they use OSSP's uuid. However, at least Arch and Gentoo seem to ship the CPAN version." I doubt that Data::UUID and ossp-uuid[perl] are interchangeable. Masking is also not an option yet since there is a chain of dependencies. No patch has materialized.
No news from upstream.
This is protected against by fs.protected_symlinks which is on by default in gentoo-sources that is security supported.
A fix has appeared...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=749667b8738e67580fae7c09f2c0e05410f4c3e1 commit 749667b8738e67580fae7c09f2c0e05410f4c3e1 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-30 01:38:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-30 01:38:35 +0000 dev-perl/Data-UUID: add 1.227.0 Bug: https://bugs.gentoo.org/479370 Signed-off-by: Sam James <sam@gentoo.org> dev-perl/Data-UUID/Data-UUID-1.227.0.ebuild | 27 +++++++++++++++++++++++++++ dev-perl/Data-UUID/Manifest | 1 + 2 files changed, 28 insertions(+)