An insecure /tmp file issue was reported for perl-Capture-Tiny: http://openwall.com/lists/oss-security/2014/02/06/10 It was assigned CVE-2014-1875: http://openwall.com/lists/oss-security/2014/02/07/1 The issue is fixed upstream in 0.24, as noted in the Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737835 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Cauldron updated to latest version. MGA4 and MGA3 patched and submitted. David, I hope you take care of the rest :)
CC: (none) => mageiaHardware: i586 => AllVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Yes, thanks Sander! Advisory: ======================== Updated perl-Capture-Tiny packages fix security vulnerability: perl-Capture-Tiny before 0.24 used files in /tmp in an insecure manner (CVE-2014-1875). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1875 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737835 ======================== Updated packages in core/updates_testing: ======================== perl-Capture-Tiny-0.210.0-2.1.mga3 perl-Capture-Tiny-0.220.0-2.1.mga4 from SRPMS: perl-Capture-Tiny-0.210.0-2.1.mga3.src.rpm perl-Capture-Tiny-0.220.0-2.1.mga4.src.rpm
CC: (none) => jquelinAssignee: jquelin => qa-bugs
Testing complete on Mageia 3 and Mageia 4 i586. Testing procedure, save this script as tiny.pl: ###################### use Capture::Tiny ':all'; $cmd = "/usr/bin/ls"; @args = @ARGV; ($stdout, $stderr, $exit) = capture { system($cmd, @args); }; print "STDOUT\n"; print $stdout; print "STDERR\n"; print $stderr; print "EXIT: "; print $exit . "\n"; ####################### Then you can use the script just like the ls command, and it will print out the standard output, error, and exit status all neatly sorted out. I ran it in a directory that had a file FC4.txt but no file called oof. $ perl tiny.pl oof FC4.txt STDOUT FC4.txt STDERR /usr/bin/ls: cannot access oof: No such file or directory EXIT: 512 $ perl tiny.pl FC4.txt STDOUT FC4.txt STDERR EXIT: 0 $
Whiteboard: MGA3TOO => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
Testing complete on Mageia 4 x86_64.
CC: (none) => napcokWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK
Testing complete on Mageia 3 x86_64 following the procedure in comment 3. Validating update. Advisory has been uploaded, please push to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0068.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/586337/