insecure use of /tmp

[carnil]

Hi

On the Debian BTS Jakub Wilk reported an issue of Capture::Tiny insecurely using /tmp. The original report is at [1].

On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:

$ strace -f -o '| grep -E open.*/tmp' perl test.pl 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3

The first temporary file is created securely, but the second open(2) call lacks the O_EXCL flag. The vulnerable code appears to be:

flag file is used to signal the child is ready

$stash->{flag_files}{$which} = scalar tmpnam();

The File::temp::tmpnam documentation reads: “When called in scalar context, returns the full name (including path) of a temporary file (uses mktemp()). The only check is that the file does not already exist, but there is no guarantee that that condition will continue to apply.”

[1] http://bugs.debian.org/737835

Regards, Salvatore

[dagolden]

Thanks. Fixed in 635c9eabd52ab8042b0c841823bd6e692de87924 and will be shipped to CPAN shortly.

[dagolden]

Shipped to CPAN as 0.24.