Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 Petr Pisar <ppisar@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ppisar@xxxxxxxxxx --- Comment #2 from Petr Pisar <ppisar@xxxxxxxxxx> 2011-12-01 09:18:18 EST --- `PAR' (<http://search.cpan.org/~rschupp/PAR/>, packaged as perl-PAR in Fedora) author recognized this vulnerability in PAR too (this is related but different piece of code from PAR::Packer) and fixed it in version 1.003: [Changes for 1.003 - Nov 28, 2011] - RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories (Note: this bug was originally reported against PAR::Packer, but it applies to PAR as well) - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 - if it already exists, make sure that (and bail out if not) - it's not a symlink - it's mode 0700 - it's owned by USER Fixed perl-PAR version is available in F17 only at this moment. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
