Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78634 - dev-perl/DBI CAN-2005-0077 Insecure temporary files
Summary: dev-perl/DBI CAN-2005-0077 Insecure temporary files
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] jaervosz
Depends on: 75696
  Show dependency tree
Reported: 2005-01-19 00:56 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-01-26 12:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

CAN-2005-0077.patch (CAN-2005-0077.patch,1.26 KB, patch)
2005-01-24 07:53 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
as requested, 37-r1 (DBI-1.37-r1.ebuild,627 bytes, text/plain)
2005-01-24 16:00 UTC, Michael Cummings (RETIRED)
no flags Details
38-r1 (DBI-1.38-r1.ebuild,642 bytes, text/plain)
2005-01-24 16:01 UTC, Michael Cummings (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 00:56:08 UTC
Javier Fern
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 00:56:08 UTC
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a tmporary file in an insecure manner.  This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the program.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 00:57:13 UTC
No upstream patch yet. Will attach Debian workaround patch later if needed.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-24 07:53:37 UTC
Created attachment 49377 [details, diff]

Patch from Martin Schulze @ debian
Comment 4 Michael Cummings (RETIRED) gentoo-dev 2005-01-24 13:07:06 UTC
Patch looks to apply cleanly on all versions in dev-perl. Just give me the word and we can roll this out.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-24 13:19:57 UTC
Micheal please attach the updated ebuild to this bug and we will call needed arch testers individually.
Comment 6 Michael Cummings (RETIRED) gentoo-dev 2005-01-24 16:00:41 UTC
Created attachment 49432 [details]
as requested, 37-r1
Comment 7 Michael Cummings (RETIRED) gentoo-dev 2005-01-24 16:01:07 UTC
Created attachment 49433 [details]
Comment 8 Michael Cummings (RETIRED) gentoo-dev 2005-01-24 16:01:57 UTC
two revision posted (based on KEYWORDing). 1.46 went into the tree as a new copy from upstream a few minutes ago (the two attached are in no way in portage atm).
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-25 10:04:09 UTC
This is public now. Micheal please commit the updated ebuild.
Comment 10 Michael Cummings (RETIRED) gentoo-dev 2005-01-25 10:38:35 UTC
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-01-26 00:41:26 UTC
GLSA should probably be grouped with bug 75696 (both Perl, both tmpfile vulns).
Michael, could you please bump on dev-perl/perl side too ?
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-26 12:42:32 UTC
GLSA 200501-38