It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files: ./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam(); This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module. This issue has been reported upstream [2], but has not yet been fixed. [1] http://seclists.org/oss-sec/2014/q1/267 [2] https://github.com/dagolden/Capture-Tiny/issues/16
Created perl-Capture-Tiny tracking bugs for this issue: Affects: fedora-all [bug 1062426]
This issue was assigned CVE-2014-1875: http://seclists.org/oss-sec/2014/q1/272
Reproducer: $ strace -fq -e open -- perl -MCapture::Tiny -e 'Capture::Tiny::tee_stdout { print qq{foo\n} }' 2>&1 | grep 'O_CREAT' | grep -v O_EXCL [pid 8578] open("/tmp/uAM1hQ9lbl", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 There shouldn't be any open(, O_CREAT) without O_EXCL. Fixed with upstream commit <https://github.com/dagolden/Capture-Tiny/commit/635c9eabd52ab8042b0c841823bd6e692de87924> and released in 0.24 <http://cpansearch.perl.org/src/DAGOLDEN/Capture-Tiny-0.24/Changes>. This fix creates new files with O_EXCL flag.
perl-Capture-Tiny-0.24-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-Capture-Tiny-0.24-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.