RETIRED: Perl PAR and PAR-Packer Modules Insecure Temporary File Creation Vulnerability
BID:50889
Info
RETIRED: Perl PAR and PAR-Packer Modules Insecure Temporary File Creation Vulnerability
| Bugtraq ID: | 50889 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 02 2011 12:00AM |
| Updated: | Dec 21 2011 06:39PM |
| Credit: | John Lightsey |
| Vulnerable: |
Audrey Tang PAR-Packer Module 1.010 Audrey Tang PAR Module 1.002 |
| Not Vulnerable: |
Audrey Tang PAR-Packer Module 1.011 Audrey Tang PAR Module 1.003 |
Discussion
RETIRED: Perl PAR and PAR-Packer Modules Insecure Temporary File Creation Vulnerability
Perl PAR and PAR-Packer modules are prone to a vulnerability because they create temporary files in an insecure manner.
Successfully mounting a symlink attack may allow the attacker to gain elevated privileges, corrupt sensitive files, or gain access to sensitive information. Other attacks may also be possible.
The following versions are affected:
Versions prior to Perl PAR-Packer 1.003
Versions prior to Perl PAR 1.011
This BID is being retired as a duplicate of BID 50540 (CPAN PAR::Packer Module Insecure Temporary Directory Creation Vulnerability).
Perl PAR and PAR-Packer modules are prone to a vulnerability because they create temporary files in an insecure manner.
Successfully mounting a symlink attack may allow the attacker to gain elevated privileges, corrupt sensitive files, or gain access to sensitive information. Other attacks may also be possible.
The following versions are affected:
Versions prior to Perl PAR-Packer 1.003
Versions prior to Perl PAR 1.011
This BID is being retired as a duplicate of BID 50540 (CPAN PAR::Packer Module Insecure Temporary Directory Creation Vulnerability).
Exploit / POC
RETIRED: Perl PAR and PAR-Packer Modules Insecure Temporary File Creation Vulnerability
An attacker can use readily available commands to exploit this issue.
An attacker can use readily available commands to exploit this issue.
Solution / Fix
RETIRED: Perl PAR and PAR-Packer Modules Insecure Temporary File Creation Vulnerability
Solution:
The vendor released an update. Please see the references for details.
Solution:
The vendor released an update. Please see the references for details.
References
RETIRED: Perl PAR and PAR-Packer Modules Insecure Temporary File Creation Vulnerability
References:
References:
- [Changes for 1.003 - Nov 28, 2011] (Aubrey Tang)
- Bug #69560 for PAR-Packer: PAR packed files are extracted to unsafe and predicta (Audrey Tang )