Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Data-UUID CPAN distribution.

Report information
The Basics
Id: 69277
Status: rejected
Priority: 0/
Queue: Data-UUID

Owner: Nobody in particular
Requestors: tim [...]

Bug Information
Severity: Critical
Broken in: 1.217
Fixed in: (no value)

Subject: Insecure usage of /tmp/.UUID_STATE
Download (untitled) / with headers
text/plain 306b
A symlink attack via Data::UUID seems to be possible. As user2: ln -s /home/user1/test-file /tmp/.UUID_STATE As user1: perl -MData::UUID -e 'Data::UUID->new' Then /home/user1/test-file is overwritten. I could not achieve the same result via /tmp/.UUID_NODEID, but I have not studied this carefully.
Reposted at which is now the preferred bug tracker.
Thanks. As it's now there, I'm closing it here. -- rjbs

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to