OWL disclosed a number of fixes for temporary file vulnerabilities in Perl. Patch attached. Affects: RHEL3 Affects: RHEL2.1
Created attachment 105443 [details] OWL patch for Perl tempfile issues (needs backporting)
This bug is fixed with perl-5.8.0-90.2 .
Hi Jason, You may wish to look at bug 175467 for an issue with Solar Designer's OWL patch with regards to the file name used in perl5db.pl. It may not have been cor- rected in the RHEL 3 package if the (unreleased?) perl-5.8.0-90.2 package is using an unmodified backported attachment 105443 [details]. As a matter of fact, there are now a couple issues that have been corrected Solar Designer's OWL tempfile patch. The version of that patch in attachment 105443 [details] is likely revision 1.3 and it's now up to revision 1.5. Changelog since then: * Revision 1.4 - Corrected the removal of "$SAFEDIR/a.out" in c2ph.PL (fix from Fedora Legacy pointed out by Pekka Savola). * Revision 1.5 - Corrected the perl5db.pl patch to obtain the TTY name from ~/.perldbtty$$ rather than from a file under /var/run to allow ordinary users to utilize that method of notifying Term::Rendezvous of a TTY (patch from David Eisenstein of Fedora Legacy project). The newer Revision 1.5 of Solar Designer's OWL tempfile patch, which brings the affected code more nearly in line with upstream perl-5.8.7, is here: http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/perl/perl-5.8.3-owl-tmp.diff?rev=1.5;content-type=text%2Fplain;f=s Hope this helps. -David
(In reply to comment #7) > issues with Solar Designer's OWL patch Thanks for pointing this out . These issues are now corrected in perl-5.8.0-90.4 .
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-881.html