Package: perltidy
Version: 20120701-1
Tags: security
perltidy creates temporary files with default permissions, potentially
disclosing information that wouldn't be otherwise accessible to local
users. Temporary files should be always created with mode 0600.
The vulnerable code is:
sub make_temporary_filename {
# [...]
my $name = "perltidy.TMP";
if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
return $name;
}
eval "use POSIX qw(tmpnam)";
if ($@) { return $name }
use IO::File;
# just make a couple of tries before giving up and using the default
for ( 0 .. 3 ) {
my $tmpname = tmpnam();
my $fh = IO::File->new( $tmpname, O_RDWR | O_CREAT | O_EXCL );
if ($fh) {
$fh->close();
return ($tmpname);
last;
}
}
return ($name);
}
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
