Joined: 25 Feb 2003
Location: Essen, Germany
|Posted: Tue Dec 07, 2004 7:09 am Post subject: [ GLSA 200412-04 ] Perl: Insecure temporary file creation
|Gentoo Linux Security Advisory
Title: Perl: Insecure temporary file creation (GLSA 200412-04)
Date: December 07, 2004
Perl is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files.
Perl is a stable, cross-platform programming language created by
Vulnerable: < 5.8.5-r2
Vulnerable: = 5.8.6
Unaffected: >= 5.8.5-r2 < 5.8.6
Unaffected: >= 5.8.6-r1
Architectures: All supported architectures
Some Perl modules create temporary files in world-writable
directories with predictable names.
A local attacker could create symbolic links in the temporary
files directory, pointing to a valid file somewhere on the filesystem.
When a Perl script is executed, this would result in the file being
overwritten with the rights of the user running the utility, which
could be the root user.
There is no known workaround at this time.
All Perl users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=perl-5.8.5-r2"
Trustix Advisory #2004-0050
Last edited by GLSA on Fri Apr 09, 2010 4:18 am; edited 3 times in total