[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages

This system has remained substantially vanilla since the original install - 18.04 if I remember correctly - with only LTS upgrades and I have certainly made no local changes to the packaging tools. $ which apt-extracttemplates /usr/bin/apt-extracttemplates $ debsums -s apt-utils $ That is to say

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages

$ readlink -f /var/cache/debconf/tmp.ci /var/cache/debconf/tmp.ci -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when pre

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages

Attributing the bug to debconf and setting status to New following advice while (mis)attributed to perl. ** Package changed: perl (Ubuntu) => debconf (Ubuntu) ** Changed in: debconf (Ubuntu) Status: Invalid => New -- You received this bug notification because you are a member of Ubuntu T

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

Caught the error again, again while running in Software Updater, but I captured the output from the beginning. There were only four related packages being updated. Preconfiguring packages ... Can't exec "/tmp/cryptsetup-initramfs.config.UaZ02N": Permission denied at /usr/lib/x86_64-linux-gnu/perl

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

I will attempt to capture more details when I next observe the error so that the correct package can be identified for this report. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to perl in Ubuntu. https://bugs.launchpad.net/bug

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

You are of course quite right that the risk associated with a file created with a "random" six character case-insensitive alphanumeric suffix and run a moment later is far smaller than more obviously risky misuses of /tmp. Nevertheless the issue is not about evaluating the risk of an adversary crea

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

@vorlon, Thank you for your considered response. I concur that this is not a vulnerability in the Ubuntu perl package. While I do not disagree with any of the points you make, the fact remains that processes running as root created a file directly in /tmp not using a safe *mktemp* process and late