Bug #11614 for Module-Packaged: Insecure temp files handling in Module::Packaged

RT for rt.cpan.org

This queue is for tickets about the Module-Packaged CPAN distribution.

Report information

The Basics

Id:	11614
Status:	resolved
Priority:	0/
Queue:	Module-Packaged

People

Owner:	Nobody in particular
Requestors:	bdonlan [...] gmail.com
Cc:
AdminCc:

Bug Information

Severity:	Critical
Broken in:	0.74 0.79
Fixed in:	(no value)

History Show all quoted text

Mon Feb 21 21:31:09 2005 bdonlan [...] gmail.com - Ticket created

Subject:

Insecure temp files handling in Module::Packaged

Module::Packaged creates predictable temp files of the form /tmp/mod_pac/(name)-(pid). A local attacker could create a symlink from such a file to a file which he cannot write to, and then entice someone with access to the target file to use Module::Packaged, thus overwriting the target file. To solve this, Module::Packaged must use a temporary directory with an unpredictable name, and an access mode set to disallow access by others.

Fri Mar 25 21:36:18 2005 leon [...] astray.com - Status changed from 'new' to 'resolved'