Bug#756566: libxml-dt-perl: Insecure use of temporary files
Steve Kemp
steve at steve.org.uk
Wed Jul 30 22:31:43 UTC 2014
Package: libxml-dt-perl
Version: 0.62-1
Severity: important
Tags: security
The libxml-dt-perl package installs the script "/usr/bin/mkxmltype"
which blindly overwrites the contents of the file:
/tmp/_xml_$$
(Where '$$' corresponds to the PID of the process.)
This is insecure and can allow the truncation of arbitrary files
the user has permission to access.
A similar problem exists in /usr/bin/mkdtskel, again the file
accessed is /tmp/_xml_$$.
Both scripts should be updated to use File::Temp, or similar.
Steve
--
http://steve.org.uk/
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
More information about the pkg-perl-maintainers
mailing list