blob: b8ed263479fde0cdbd142132dec57e4ae8ff2e3b [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200412-04">
<title>Perl: Insecure temporary file creation</title>
Perl is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files.
<product type="ebuild">perl</product>
<announced>December 07, 2004</announced>
<revised>December 07, 2004: 01</revised>
<package name="dev-lang/perl" auto="yes" arch="*">
<unaffected range="rge">5.8.5-r2</unaffected>
<unaffected range="ge">5.8.6-r1</unaffected>
<vulnerable range="lt">5.8.5-r2</vulnerable>
<vulnerable range="eq">5.8.6</vulnerable>
Perl is a stable, cross-platform programming language created by
Larry Wall.
Some Perl modules create temporary files in world-writable
directories with predictable names.
<impact type="normal">
A local attacker could create symbolic links in the temporary
files directory, pointing to a valid file somewhere on the filesystem.
When a Perl script is executed, this would result in the file being
overwritten with the rights of the user running the utility, which
could be the root user.
There is no known workaround at this time.
All Perl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=perl-5.8.5-r2&quot;</code>
<uri link="">CAN-2004-0976</uri>
<uri link="">Trustix Advisory #2004-0050</uri>
<metadata tag="submitter" timestamp="Sun, 5 Dec 2004 01:07:23 +0000">
<metadata tag="bugReady" timestamp="Mon, 6 Dec 2004 21:18:17 +0000">