ALAS-2014-358


Amazon Linux AMI Security Advisory: ALAS-2014-358
Advisory Release Date: 2014-09-19 10:23 Pacific
Severity: Low
References: CVE-2014-1875 

Issue Overview:

It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files:

./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam();

This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module.


Affected Packages:

perl-Capture-Tiny


Issue Correction:
Run yum update perl-Capture-Tiny to update your system.

New Packages:
noarch:
    perl-Capture-Tiny-0.24-1.5.amzn1.noarch

src:
    perl-Capture-Tiny-0.24-1.5.amzn1.src