[Neworleans-pm] [Full-Disclosure] [ GLSA 200501-38 ] Perl: rmtree
and DBI tmpfile vulnerabilities
Brett D. Estrade
estrabd at yahoo.com
Thu Jan 27 05:51:39 PST 2005
http://lists.netsys.com/pipermail/full-disclosure/2005-January/031237.html
Synopsis
========
The Perl DBI library and File::Path::rmtree function are vulnerable to
symlink attacks.
Background
==========
Perl is a cross platform programming language. The DBI is the standard
database interface module for Perl.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-perl/dbi <= 1.38 *>= 1.37-r1
>= 1.38-r1
2 dev-lang/perl <= 5.8.6-r1 >= 5.8.6-r2
*>= 5.8.5-r3
*>= 5.8.4-r2
*>= 5.8.2-r2
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Javier Fernandez-Sanguino Pena discovered that the DBI library creates
temporary files in an insecure, predictable way (CAN-2005-0077). Paul
Szabo found out that "File::Path::rmtree" also handles temporary files
insecurely (CAN-2004-0452).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.brettsbsd.net/~estrabd
More information about the NewOrleans-pm
mailing list