Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4EB3FAD5.6000806@nixnuts.net>
Date: Fri, 04 Nov 2011 09:46:45 -0500
From: John Lightsey <john@...nuts.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: unsafe use of /tmp in multiple CPAN modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These were reported to the upstream authors a while back. None of these
bugs are fixed in the currently available versions:


PAR::Packer - PAR packed files are extracted to unsafe and predictable
temporary directories

https://rt.cpan.org/Public/Bug/Display.html?id=69560


Parallel::ForkManager - Insecure /tmp file handling

https://rt.cpan.org/Public/Bug/Display.html?id=68298


File::Temp - _is_safe() allows unsafe traversal of symlinks

https://rt.cpan.org/Public/Bug/Display.html?id=69106


Batch::BatchRun - Unsafe /tmp file usage

https://rt.cpan.org/Public/Bug/Display.html?id=69594


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOs/rHAAoJEORPgBbTYw+JY8kP/RTQuY2il0nMIRnG2D1OrBpu
vHA9uyeOx5QuEliatgWaaAFrlXCi7gSkMdq91JxCK2QM8feJ2EGqOBhbrX9CShsb
jpVO5xvo9mUVe70yBpplu3y0S5qPaNw3BjN6baiVlN04sl/rrhFeGigfkJo7erPH
RSBaTTUyNTHjwEjyl8WFgpl8kJDyeQoHDGEZhb106l6uAsNCscF+6thxUoEZUMo8
8ljxylnobzvzL2TNhhTuTX5NtFH5TjvKGm/NeuSH2avCrY+S4dM9MZtAI+ofp1Z6
3DuTSUpjA4hJDK43KqWGEpxvEpVjwd5jo887uYvfzLev9YTz3fc78H+rb0ishkH3
mdsmq42n8WGdoFMduZpDWzxdYi5mBCDipgd95PuQAT6+ya7/hSZRZ4KvgInP6Bcv
bLCyqtMFm+z3KaufFKK6M3wafR+DCvsBM/8MT+EyQJgrClPBLFJ2J3d0N4u6qZCc
vNYMrj4L6Vxfm7VoEe6gSwKKaRxvPdboXlxS6ubK6E9LLNcWewObm6foFIddXotD
RtCSnROZrWubG73RFTKrjqrHIaK4ktO/x6bCdQyA3ziBIQOM9xUvTHkJeDtuIe+W
RcwZVAtM4U8wmVVlkqBgEde2ipBKITEUPXLbLyQ7MrAeiuRBLT6wsfTqPh+EJ5ga
r7V7cmFNq/btoySXFcI8
=WTKm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.