*** This bug has been split off bug 145577 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.01.19 16:14 ------- Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a tmporary file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the program. This will be disclosed on Tuesday the 25th. attachment 109991 [details] contains the proposed patch for this issue.
This issue should also affect FC2.
removing embargo
Warren: FYI
Would you prefer we only patch FC2 and FC3, or upgrade version?
It's your call Warren. Whatever is easiest for you.
I'm asking Ville, he's the upstream perl expert. =)
http://search.cpan.org/dist/DBI/Changes Upgrading would mean upgrading at least to 1.47, and the changelog between 1.40 and that is pretty long. I haven't examined the nature of the changes in detail, but I tend to think just applying the security fix would be safer for FC[23].
OK will do. Thanks for the analysis.
From User-Agent: XML-RPC perl-DBI-1.40-6.fc3 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.