Description
Hi
On the Debian BTS Jakub Wilk reported an issue of Capture::Tiny insecurely using /tmp. The original report is at [1].
On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:
$ strace -f -o '| grep -E open.*/tmp' perl test.pl
11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3The first temporary file is created securely, but the second open(2)
call lacks the O_EXCL flag. The vulnerable code appears to be:flag file is used to signal the child is ready
$stash->{flag_files}{$which} = scalar tmpnam();
The File::temp::tmpnam documentation reads: “When called in scalar
context, returns the full name (including path) of a temporary file
(uses mktemp()). The only check is that the file does not already
exist, but there is no guarantee that that condition will continue
to apply.”
[1] http://bugs.debian.org/737835
Regards,
Salvatore