504178 – (CVE-2014-2277) <dev-perl/perltidy-20130922.0.0 : insecure temporary file creation (CVE-2014-2277)

Bug 504178 (CVE-2014-2277) - <dev-perl/perltidy-20130922.0.0 : insecure temporary file creation (CVE-2014-2277)

Summary: <dev-perl/perltidy-20130922.0.0 : insecure temporary file creation (CVE-2014-...

Status:	RESOLVED FIXED

Alias:	CVE-2014-2277

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-03-11 08:22 UTC by Agostino Sarubbo
Modified:	2014-03-13 07:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-03-11 08:22:18 UTC

From ${URL} :

Jakub Wilk discovered that perltidy's make_temporary_filename() function insecurely created temporary 
files via the use of the tmpnam() function. A local attacker could use this flaw to perform a symbolic 
link attack.

Fix from Don Armstrong: 
http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Vladimir Smirnov (RETIRED) gentoo-dev

2014-03-11 18:53:56 UTC

I've bumped package. Patch for this CVE is included for 20130922 version.

Adding x86, amd64 and ppc herds for stable req.

Comment 2 Mikle Kolyada (RETIRED) archtester

2014-03-12 16:57:48 UTC

amd64/ppc/x86 stable, cleanup done.

@security, please vote.

GLSA vote: no.

Comment 3 Sergey Popov gentoo-dev

2014-03-13 07:00:42 UTC

GLSA vote: no

Closing as noglsa