Hi Don (dropping oss-security, as Debian specific discussion should not go to the list there, keeping Murray):
On Fri, Mar 07, 2014 at 06:39:40PM -0800, Don Armstrong wrote: > On Tue, 04 Mar 2014, Murray McAllister wrote: > > Jakub Wilk and Don Armstrong are discussing in > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy > > creating a temporary file with default permissions instead of 0600 > > 2) the use of tmpnam(). > > The following trivial patch fixes this issue by just using File::Temp > instead: > > http://git.donarmstrong.com/?p=perltidy.git;a=blob;f=debian/patches/fix_insecure_tmpnam_usage_740670 > > I'm currently preparing an upload which will resolve this issue for > Debian in unstable and testing; I'm not certain if it necessitates a CVE > or security update in stable, but if anyone feels that way, I don't mind > preparing one. I have marked this issue 'no-dsa' in the security-tracker. It does not need to be released trough security. If you have some other changes for perltidy for oldstable and stable going trough a proposed-update this though would be great to have included too. Regards, Salvatore
signature.asc
Description: Digital signature