Skip to content

insecure use of /tmp #16

Closed
Closed
@carnil

Description

@carnil

Hi

On the Debian BTS Jakub Wilk reported an issue of Capture::Tiny insecurely using /tmp. The original report is at [1].

On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:

$ strace -f -o '| grep -E open.*/tmp' perl test.pl
11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3

The first temporary file is created securely, but the second open(2)
call lacks the O_EXCL flag. The vulnerable code appears to be:

flag file is used to signal the child is ready

$stash->{flag_files}{$which} = scalar tmpnam();

The File::temp::tmpnam documentation reads: “When called in scalar
context, returns the full name (including path) of a temporary file
(uses mktemp()). The only check is that the file does not already
exist, but there is no guarantee that that condition will continue
to apply.”

[1] http://bugs.debian.org/737835

Regards,
Salvatore

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions