Bug 145578

Summary: CAN-2005-0077 perl-DBI insecure temporary file usage
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: perl-DBIAssignee: Warren Togami <wtogami>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 3CC: jnovy, perl-devel, scop, security-response-team, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20050125
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-07 10:02:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Josh Bressers 2005-01-19 21:18:00 UTC
*** This bug has been split off bug 145577 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.01.19
16:14 -------

Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a tmporary file in an insecure manner.  This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the program.

This will be disclosed on Tuesday the 25th.

attachment 109991 [details] contains the proposed patch for this issue.

Comment 1 Josh Bressers 2005-01-19 21:18:56 UTC
This issue should also affect FC2.

Comment 2 Mark J. Cox 2005-01-25 19:45:38 UTC
removing embargo

Comment 3 Ville Skyttä 2005-04-02 07:40:22 UTC
Warren: FYI

Comment 4 Warren Togami 2005-04-03 00:45:18 UTC
Would you prefer we only patch FC2 and FC3, or upgrade version?

Comment 5 Josh Bressers 2005-04-03 00:57:14 UTC
It's your call Warren.  Whatever is easiest for you.

Comment 6 Warren Togami 2005-04-03 01:02:12 UTC
I'm asking Ville, he's the upstream perl expert. =)

Comment 7 Ville Skyttä 2005-04-03 11:41:10 UTC
http://search.cpan.org/dist/DBI/Changes

Upgrading would mean upgrading at least to 1.47, and the changelog between 1.40
and that is pretty long.  I haven't examined the nature of the changes in
detail, but I tend to think just applying the security fix would be safer for
FC[23].

Comment 8 Warren Togami 2005-04-03 11:43:08 UTC
OK will do.  Thanks for the analysis.

Comment 9 Fedora Update System 2005-09-06 05:35:59 UTC
From User-Agent: XML-RPC

perl-DBI-1.40-6.fc3 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.