Bug #69439 for HTTP-DAV: Insecure /tmp file handing

RT for rt.cpan.org

This queue is for tickets about the HTTP-DAV CPAN distribution.

Report information

The Basics

Id:	69439
Status:	resolved
Worked:	1.5 hours (90 min)
Priority:	0/
Queue:	HTTP-DAV

People

Owner:	cosimo [...] cpan.org
Requestors:	john [...] nixnuts.net
Cc:
AdminCc:

Bug Information

Severity:	Critical
Broken in:	(no value)
Fixed in:	(no value)

History Show all quoted text

Tue Jul 12 21:48:34 2011 john [...] nixnuts.net - Ticket created

Subject:

Insecure /tmp file handing

The dave client uses predictable filenames in a world writable directory in command_edit(). This should be fairly simple to exploit with a symlink. Additionally, the default umask is used which will make the file world readable while it resides on the local system.

Wed Jul 13 11:52:16 2011 cosimo [...] cpan.org - Status changed from 'new' to 'open'

Wed Jul 13 11:52:20 2011 cosimo [...] cpan.org - Taken

Sun Sep 18 05:44:23 2011 cosimo [...] cpan.org - Correspondence added 90 min

Fixed in HTTP::DAV 0.45, soon on CPAN. Still, you have another insecure dependency on $EDITOR or 'vi'... :)

Sun Sep 18 05:44:25 2011 cosimo [...] cpan.org - Status changed from 'open' to 'resolved'