Bug 136325 - CVE-2004-0976 temporary file vulnerabilities in Perl
CVE-2004-0976 temporary file vulnerabilities in Perl
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: perl (Show other bugs)
3.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Jason Vas Dias
David Lawrence
impact=low,public=20040930,reported=2...
: Security
Depends On:
Blocks: 168424
  Show dependency treegraph
 
Reported: 2004-10-19 07:08 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2005-881
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-20 09:57:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
OWL patch for Perl tempfile issues (needs backporting) (29.92 KB, patch)
2004-10-19 07:08 EDT, Mark J. Cox (Product Security)
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2004-10-19 07:08:10 EDT
OWL disclosed a number of fixes for temporary file vulnerabilities in
Perl.  Patch attached.

                Affects: RHEL3
                Affects: RHEL2.1
Comment 1 Mark J. Cox (Product Security) 2004-10-19 07:08:47 EDT
Created attachment 105443 [details]
OWL patch for Perl tempfile issues (needs backporting)
Comment 5 Jason Vas Dias 2005-11-08 22:41:21 EST
This bug is fixed with perl-5.8.0-90.2 .
Comment 7 David Eisenstein 2005-12-11 17:21:13 EST
Hi Jason,

You may wish to look at bug 175467 for an issue with Solar Designer's OWL patch
with regards to the file name used in perl5db.pl.  It may not have been cor-
rected in the RHEL 3 package if the (unreleased?) perl-5.8.0-90.2 package is
using an unmodified backported attachment 105443 [details].

As a matter of fact, there are now a couple issues that have been corrected 
Solar Designer's OWL tempfile patch.  The version of that patch in attachment
105443 [details] is likely revision 1.3 and it's now up to revision 1.5.  Changelog
since then:

  * Revision 1.4 - Corrected the removal of "$SAFEDIR/a.out" in c2ph.PL (fix
    from Fedora Legacy pointed out by Pekka Savola).

  * Revision 1.5 - Corrected the perl5db.pl patch to obtain the TTY name from
    ~/.perldbtty$$ rather than from a file under /var/run to allow ordinary
    users to utilize that method of notifying Term::Rendezvous of a TTY (patch
    from David Eisenstein of Fedora Legacy project).

The newer Revision 1.5 of Solar Designer's OWL tempfile patch, which brings
the affected code more nearly in line with upstream perl-5.8.7, is here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/perl/perl-5.8.3-owl-tmp.diff?rev=1.5;content-type=text%2Fplain;f=s

Hope this helps.  -David
Comment 8 Jason Vas Dias 2005-12-13 16:20:49 EST
(In reply to comment #7)
> issues with Solar Designer's OWL patch

Thanks for pointing this out .

These issues are now corrected in perl-5.8.0-90.4 .





Comment 10 Red Hat Bugzilla 2005-12-20 09:57:08 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html
Comment 11 Red Hat Bugzilla 2005-12-20 09:57:32 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html

Note You need to log in before you can comment on or make changes to this bug.