Red Hat Bugzilla – Bug 136325
CVE-2004-0976 temporary file vulnerabilities in Perl
Last modified: 2007-11-30 17:07:04 EST
OWL disclosed a number of fixes for temporary file vulnerabilities in
Perl. Patch attached.
Created attachment 105443 [details]
OWL patch for Perl tempfile issues (needs backporting)
This bug is fixed with perl-5.8.0-90.2 .
You may wish to look at bug 175467 for an issue with Solar Designer's OWL patch
with regards to the file name used in perl5db.pl. It may not have been cor-
rected in the RHEL 3 package if the (unreleased?) perl-5.8.0-90.2 package is
using an unmodified backported attachment 105443 [details].
As a matter of fact, there are now a couple issues that have been corrected
Solar Designer's OWL tempfile patch. The version of that patch in attachment
105443 [details] is likely revision 1.3 and it's now up to revision 1.5. Changelog
* Revision 1.4 - Corrected the removal of "$SAFEDIR/a.out" in c2ph.PL (fix
from Fedora Legacy pointed out by Pekka Savola).
* Revision 1.5 - Corrected the perl5db.pl patch to obtain the TTY name from
~/.perldbtty$$ rather than from a file under /var/run to allow ordinary
users to utilize that method of notifying Term::Rendezvous of a TTY (patch
from David Eisenstein of Fedora Legacy project).
The newer Revision 1.5 of Solar Designer's OWL tempfile patch, which brings
the affected code more nearly in line with upstream perl-5.8.7, is here:
Hope this helps. -David
(In reply to comment #7)
> issues with Solar Designer's OWL patch
Thanks for pointing this out .
These issues are now corrected in perl-5.8.0-90.4 .
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.