Bug#671255: CVE-2012-2451: CWE-377 Insecure Temporary File

gregor herrmann gregoa at debian.org
Sun May 6 21:31:42 UTC 2012


On Sun, 06 May 2012 22:13:05 +0100, Adam D. Barratt wrote:

> > (No error handling when doing I/O? Bad. But oh well, using tempfile
> > makes it look better anyway.)
> Specifically, a loss of error handling.  The original version at least
> let the caller gracefully handle the failure, whereas the new version is
> technically an API change in that the function is defined as returning
> undef in the case of failure and no longer does if creating the
> temporary file fails; I'm not sure how well the (several) r-deps in the
> archive will handle that.

Hm, good catch.
(tempfile() indeed just croak()s on errors according to the
documentation).

Maybe it's better to give this a second look ...

Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Paco de Lucia: Manteca Colora [Rumba]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120506/16c3dcca/attachment.pgp>


More information about the pkg-perl-maintainers mailing list