Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=751886 --- Comment #2 from Jason Tibbitts <tibbs@xxxxxxxxxxx> 2011-11-08 19:09:43 EST --- Guess I should comment here instead of in one of the tracking bugs. Bottom line is that this has been open upstream since May: https://rt.cpan.org/Public/Bug/Display.html?id=68298 As far as I can tell, upstream is completely unresponsive; there have been no comments to pretty much any of the bugs open on all of his packages on CPAN. So far my searching hasn't turned up any patches from any other distro, but it's always possible that I'm missing something. I'm not really up on the current state of cross-distro security collaboration so if anyone has any guidance, I'd be happy to hear it. Packages requiring this one: netdisco perl-FusionInventory-Agent-Task-NetDiscovery perl-FusionInventory-Agent-Task-SNMPQuery Honestly at this point I'd really like to just drop it from the distro, but that may not be an option. What remains is to fix it, but that doesn't appear trivial. The module uses files in /tmp for communication between the master process and its children. The children write out a file with a predictable name and the master knows where to look for data when a child exits. You can't randomize the name because the predictability is important to how things work. The master could pass a random name, in the environment or something, but that still gives an attacker plenty of time to get in there and predict the filename that will be used, create it, and do various The master could pass an open file handle or something, but that changes the API. I wonder if it would be sufficient to create a random mode 700 directory in /tmp and just use that. Honestly I'm no security expert and I certainly don't want to attempt a fix that doesn't actually help. I've tried that before and found that the experts generally get rather derisive when you say you've fixed something but they can still find a problem with it. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
