Your submission was sent successfully! Close

CVE-2011-4116

Published: 31 January 2020

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
libfile-temp-perl
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Ignored

maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Ignored

precise Does not exist

quantal Does not exist

upstream Ignored

perl
Launchpad, Ubuntu, Debian
hardy Ignored

lucid Ignored

maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Ignored

precise Ignored

quantal Ignored

upstream Ignored

Notes

AuthorNote
seth-arnold
No agreed-upon or released patch exists for _is_safe().
Solar Designer questions the _is_safe() MEDIUM and HIGH checks altogether;
attempted patches to check the safety of parent directories forbid /tmp
symlinks. It is probably impossible to make _is_safe() secure.
Ubuntu symlink and hardlink restrictions should prevent this entire class
of problems.

References

Bugs