|Summary:||CAN-2005-0077 perl-DBI insecure temporary file usage|
|Product:||[Fedora] Fedora||Reporter:||Josh Bressers <bressers>|
|Component:||perl-DBI||Assignee:||Warren Togami <wtogami>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||3||CC:||jnovy, perl-devel, scop, security-response-team, wtogami|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-09-07 10:02:15 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Josh Bressers 2005-01-19 21:18:00 UTC
*** This bug has been split off bug 145577 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.01.19 16:14 ------- Javier FernÃ¡ndez-Sanguino PeÃ±a from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a tmporary file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the program. This will be disclosed on Tuesday the 25th. attachment 109991 [details] contains the proposed patch for this issue.
Comment 1 Josh Bressers 2005-01-19 21:18:56 UTC
This issue should also affect FC2.
Comment 2 Mark J. Cox 2005-01-25 19:45:38 UTC
Comment 3 Ville Skyttä 2005-04-02 07:40:22 UTC
Comment 4 Warren Togami 2005-04-03 00:45:18 UTC
Would you prefer we only patch FC2 and FC3, or upgrade version?
Comment 5 Josh Bressers 2005-04-03 00:57:14 UTC
It's your call Warren. Whatever is easiest for you.
Comment 6 Warren Togami 2005-04-03 01:02:12 UTC
I'm asking Ville, he's the upstream perl expert. =)
Comment 7 Ville Skyttä 2005-04-03 11:41:10 UTC
http://search.cpan.org/dist/DBI/Changes Upgrading would mean upgrading at least to 1.47, and the changelog between 1.40 and that is pretty long. I haven't examined the nature of the changes in detail, but I tend to think just applying the security fix would be safer for FC.
Comment 8 Warren Togami 2005-04-03 11:43:08 UTC
OK will do. Thanks for the analysis.
Comment 9 Fedora Update System 2005-09-06 05:35:59 UTC
From User-Agent: XML-RPC perl-DBI-1.40-6.fc3 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.