Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2012-2451

Published: 27 June 2012

The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. NOTE: some of these details are obtained from third party information. NOTE: it has been reported that this might only be exploitable by writing in the same directory as the .ini file. If this is the case, then this issue might not cross privilege boundaries.

Notes

AuthorNote
jdstrand
file is created in the same directory as the original file and so
yama won't protect against it since this doesn't have to occur in a sticky
directory. Typically would not cross privilege boundaries, but is a useful
hardening measure in all cases.

Priority

Medium

Status

Package Release Status
libconfig-inifiles-perl
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid
Released (2.52-1ubuntu0.1)
natty
Released (2.58-1ubuntu0.1)
oneiric
Released (2.68-1ubuntu0.11.10.1)
precise
Released (2.68-1ubuntu0.12.04.1)
upstream
Released (2.75-1)
Patches:
upstream: https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59/raw/