Skip Menu |

This queue is for tickets about the Clipboard CPAN distribution.

Report information
The Basics
Id: 98435
Status: resolved
Priority: 0/
Queue: Clipboard
People
Owner: ether [...] cpan.org
Requestors: carnil [...] debian.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Aug 29 12:30:40 2014 carnil [...] debian.org - Ticket created
Subject: clipedit: Insecurely uses temporary files
Date: Fri, 29 Aug 2014 18:30:24 +0200
To: bug-Clipboard [...] rt.cpan.org
From: Salvatore Bonaccorso <carnil [...] debian.org>
Hi While reviewing Clipboard for beeing packaged for Debian I noticed that script/clipedit uses temporary files insecurely by using the pid of the process in the temporary file name. [...] 7 my $tmpfilename = "/tmp/clipedit$$"; 8 open my $tmpfile, ">$tmpfilename" or die "Failure to open $tmpfilename: $!"; 9 print $tmpfile $orig; 10 close $tmpfile; [...] 13 system($ed, $tmpfilename); 14 15 open $tmpfile, $tmpfilename or die "Failure to open $tmpfilename: $!"; 16 my $edited = join '', <$tmpfile>; [...] 49 unlink($tmpfilename) or die "Couldn't remove $tmpfilename: $!"; Please use File::Temp to create the temporary file securely. See also [1] for more details. [1] http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/ Regards, Salvatore
  Fri Aug 29 13:06:44 2014 ether [...] cpan.org - Severity Important added
  Fri Aug 29 23:26:54 2014 CARNIL [...] cpan.org - Correspondence added
Hi, FTR, CVE-2014-5509 was assigned for this issue[1]; Could you reference it in the Changes when fixing this issue? [1] http://www.openwall.com/lists/oss-security/2014/08/30/2 Regards, Salvatore
  Fri Aug 29 23:26:54 2014 The RT System itself - Status changed from 'new' to 'open'
  Sun Jun 14 19:35:54 2015 ether [...] cpan.org - Correspondence added
Hi, this module is used by App-Nopaste, which is in the Task::Kensho mega-distribution. Is it possible that this bug will be addressed soon? I am also willing to take on comaintenance of the module and fix/release it myself - my PAUSE id is ETHER.
  Sun Aug 14 09:42:13 2016 gregoa [...] cpan.org - Correspondence added
Here's a patch which uses FIle::Temp instead. Cheers, gregor
Subject: insecure-tempfile.patch
Description: Fix insecure use of temporary files. This is CVE-2014-5509. Origin: vendor Bug: https://rt.cpan.org/Public/Bug/Display.html?id=98435 Author: gregor herrmann <gregoa@debian.org> Last-Update: 2016-08-13 --- a/scripts/clipedit +++ b/scripts/clipedit @@ -1,10 +1,11 @@ #!/usr/bin/perl use strict; use Clipboard; +use File::Temp qw( tempfile ); my $orig = Clipboard->paste; -my $tmpfilename = "/tmp/clipedit$$"; +my ($tmpfile, $tmpfilename) = tempfile(); open my $tmpfile, ">$tmpfilename" or die "Failure to open $tmpfilename: $!"; print $tmpfile $orig; close $tmpfile;
  Mon Aug 15 16:47:19 2016 ether [...] cpan.org - Taken
  Wed Apr 17 16:13:48 2019 SHLOMIF [...] cpan.org - Correspondence added
On Sun Aug 14 09:42:13 2016, GREGOA wrote: Show quoted text
> Here's a patch which uses FIle::Temp instead. > > Cheers, > gregor
Patch applied, thanks!
  Wed Apr 17 16:13:48 2019 SHLOMIF [...] cpan.org - Status changed from 'open' to 'resolved'