Bug #97655 for XML-DT: [PATCH] Insecure use of temporary files

We have the following bug reported to the Debian package of XML-DT (https://bugs.debian.org/756566): ------8<-----------8<-----------8<-----------8<-----------8<----- Package: libxml-dt-perl Version: 0.62-1 Severity: important Tags: security The libxml-dt-perl package installs the script "/usr/bin/mkxmltype" which blindly overwrites the contents of the file: /tmp/_xml_$$ (Where '$$' corresponds to the PID of the process.) This is insecure and can allow the truncation of arbitrary files the user has permission to access. A similar problem exists in /usr/bin/mkdtskel, again the file accessed is /tmp/_xml_$$. Both scripts should be updated to use File::Temp, or similar. Steve -- http://steve.org.uk/ -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash ------8<-----------8<-----------8<-----------8<-----------8<----- The Debian package of XML-DT has the following patch applied to fix the bug. The patch is tracked in our Git repository at http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libxml-dt-perl.git;a=blob;f=debian/patches/insecure-tmp.patch;hb=HEAD Thanks for considering, Damyan Ivanov, Debian Perl Group