Debian Security Advisory

DSA-620-1 perl -- insecure temporary files / directories

Date Reported:
30 Dec 2004
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2004-0452, CVE-2004-0976.
More information:

Several vulnerabilities have been discovered in Perl, the popular scripting language. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2004-0452

    Jeroen van Wolffelaar discovered that the rmtree() function in the File::Path module removes directory trees in an insecure manner which could lead to the removal of arbitrary files and directories through a symlink attack.

  • CAN-2004-0976

    Trustix developers discovered several insecure uses of temporary files in many modules which allow a local attacker to overwrite files via a symlink attack.

For the stable distribution (woody) these problems have been fixed in version 5.6.1-8.8.

For the unstable distribution (sid) these problems have been fixed in version 5.8.4-5.

We recommend that you upgrade your perl packages.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.