From ${URL} : It was reported [1],[2] that the clipedit program as shipped with perl-Clipboard uses temporary files insecurely (based on the PID of the running program). Using symlink attacks, an attacker could cause the deletion of arbitrary files that the user running clipedit has write access to. [...] 7 my $tmpfilename = "/tmp/clipedit$$"; 8 open my $tmpfile, ">$tmpfilename" or die "Failure to open $tmpfilename: $!"; 9 print $tmpfile $orig; 10 close $tmpfile; [...] 13 system($ed, $tmpfilename); 14 15 open $tmpfile, $tmpfilename or die "Failure to open $tmpfilename: $!"; 16 my $edited = join '', <$tmpfile>; [...] 49 unlink($tmpfilename) or die "Couldn't remove $tmpfilename: $!"; [1] http://seclists.org/oss-sec/2014/q3/467 [2] https://rt.cpan.org/Public/Bug/Display.html?id=98435 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
https://metacpan.org/release/Clipboard Latest version is still Clipboard-0.13 since ... October 2010. I don't think there's ever going to be a another release. @perl: Should we lastrite this package instead?
(In reply to Patrice Clement from comment #1) > https://metacpan.org/release/Clipboard > > Latest version is still Clipboard-0.13 since ... October 2010. I don't think > there's ever going to be a another release. > > @perl: Should we lastrite this package instead? Probably should at this point...(In reply to Patrice Clement from comment #1) > https://metacpan.org/release/Clipboard > > Latest version is still Clipboard-0.13 since ... October 2010. I don't think > there's ever going to be a another release. > > @perl: Should we lastrite this package instead? * These packages depend on dev-perl/Clipboard: app-admin/kpcli-3.0 (X ? dev-perl/Clipboard) dev-perl/App-Nopaste-1.4.0-r1 (clipboard ? dev-perl/Clipboard) media-video/clive-2.3.0.1 (clipboard ? >=dev-perl/Clipboard-0.09)
@ Maintainer(s): Please consider applying https://anonscm.debian.org/cgit/pkg-perl/packages/libclipboard-perl.git/tree/debian/patches/insecure-tempfile.patch
commit 6ea7c366c608b4ea144a8a31cdaf2553b08bf5ef (HEAD -> master, origin/master, origin/HEAD) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Sat Nov 19 12:32:52 2016 +0100 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Sat Nov 19 12:33:53 2016 +0100 dev-perl/Clipboard: fix insecure temporary file usage. This is a community patch taken from https://anonscm.debian.org/cgit/pkg-perl/packages/libclipboard-perl.git/tree/debian/patches/insecure-tempfile.patch. Courtesy of Gregor Herrmann <gregoa@debian.org>. Gentoo-Bug: https://bugs.gentoo.org/521890 Package-Manager: portage-2.3.0 dev-perl/Clipboard/Clipboard-0.130.0-r2.ebuild | 22 +++++++++++++++++++++ .../Clipboard-0.130.0-insecure-tempfile.patch | 23 ++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 dev-perl/Clipboard/Clipboard-0.130.0-r2.ebuild create mode 100644 dev-perl/Clipboard/files/Clipboard-0.130.0-insecure-tempfile.patch
GLSA Vote: No