65033 – (CVE-2005-0077) VUL-0: CVE-2005-0077: perl5: DBI uses temp files insecurely

Bug 65033 (CVE-2005-0077) - VUL-0: CVE-2005-0077: perl5: DBI uses temp files insecurely

Summary: VUL-0: CVE-2005-0077: perl5: DBI uses temp files insecurely

Status:	RESOLVED DUPLICATE of bug 65026

Alias:	CVE-2005-0077

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Michael Schröder
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-0077: CVSS v2 Base Score: 2....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-01-20 22:56 UTC by Thomas Biege
Modified:	2021-11-03 15:48 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
perl.diff (1.26 KB, patch) 2005-01-20 22:56 UTC, Thomas Biege	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2005-01-20 22:56:11 UTC

Hello, 
that is what we got from vendor-sec (not public): 

From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0077: Insecure temporary files in DBI 
Errors-To: vendor-sec-admin@lst.de 
Date: Wed, 19 Jan 2005 08:59:24 +0100 

Javier FernÃ¡ndez-Sanguino PeÃ±a from the Debian Security Audit Project 
discovered that the DBI library, the Perl5 database interface, creates 
a tmporary file in an insecure manner.  This can be exploited by a 
malicious user to overwrite arbitrary files owned by the person 
executing the program. 

This will be disclosed on Tuesday the 25th. 

Patch attached that will remove the use of this pid file. 

No reply from upstream yet. :( 

Regards, 

        Joey 

-- 
Ten years and still binary compatible.  -- XFree86 

--- libdbi-perl-1.21.orig/lib/DBI/ProxyServer.pm 
+++ libdbi-perl-1.21/lib/DBI/ProxyServer.pm 
[...]

Comment 1 Thomas Biege 2005-01-20 22:56:11 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Thomas Biege 2005-01-20 22:56:43 UTC

Created attachment 27792 [details]
perl.diff

Comment 3 Thomas Biege 2005-01-20 23:09:36 UTC


*** This bug has been marked as a duplicate of 65026 ***

Comment 4 Thomas Biege 2009-10-13 20:59:57 UTC

CVE-2005-0077: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)