Bug#756566: libxml-dt-perl: Insecure use of temporary files

Steve Kemp steve at steve.org.uk
Wed Jul 30 22:31:43 UTC 2014


Package: libxml-dt-perl
Version: 0.62-1
Severity: important
Tags: security


The libxml-dt-perl package installs the script "/usr/bin/mkxmltype"
which blindly overwrites the contents of the file:

	/tmp/_xml_$$

(Where '$$' corresponds to the PID of the process.)

This is insecure and can allow the truncation of arbitrary files
the user has permission to access.

A similar problem exists in /usr/bin/mkdtskel, again the file
accessed is /tmp/_xml_$$.

Both scripts should be updated to use File::Temp, or similar.


Steve
--  
http://steve.org.uk/

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash



More information about the pkg-perl-maintainers mailing list