Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours

Bug 145578

Summary: CAN-2005-0077 perl-DBI insecure temporary file usage
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: perl-DBIAssignee: Warren Togami <wtogami>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 3CC: jnovy, perl-devel, scop, security-response-team, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20050125
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-07 06:02:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Josh Bressers 2005-01-19 16:18:00 EST
*** This bug has been split off bug 145577 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.01.19
16:14 -------

Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a tmporary file in an insecure manner.  This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the program.

This will be disclosed on Tuesday the 25th.

attachment 109991 [details] contains the proposed patch for this issue.
Comment 1 Josh Bressers 2005-01-19 16:18:56 EST
This issue should also affect FC2.
Comment 2 Mark J. Cox 2005-01-25 14:45:38 EST
removing embargo
Comment 3 Ville Skyttä 2005-04-02 02:40:22 EST
Warren: FYI
Comment 4 Warren Togami 2005-04-02 19:45:18 EST
Would you prefer we only patch FC2 and FC3, or upgrade version?
Comment 5 Josh Bressers 2005-04-02 19:57:14 EST
It's your call Warren.  Whatever is easiest for you.
Comment 6 Warren Togami 2005-04-02 20:02:12 EST
I'm asking Ville, he's the upstream perl expert. =)
Comment 7 Ville Skyttä 2005-04-03 07:41:10 EDT
http://search.cpan.org/dist/DBI/Changes

Upgrading would mean upgrading at least to 1.47, and the changelog between 1.40
and that is pretty long.  I haven't examined the nature of the changes in
detail, but I tend to think just applying the security fix would be safer for
FC[23].
Comment 8 Warren Togami 2005-04-03 07:43:08 EDT
OK will do.  Thanks for the analysis.
Comment 9 Fedora Update System 2005-09-06 01:35:59 EDT
From User-Agent: XML-RPC

perl-DBI-1.40-6.fc3 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.