ALAS-2014-358

Amazon Linux 1 (EOL) Security Advisory: ALAS-2014-358
Advisory Released Date: 2014-06-15
Advisory Updated Date: 2014-09-19

Severity: Low

References: CVE-2014-1875
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files:

./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam();

This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module.

Affected Packages:

perl-Capture-Tiny

Issue Correction:
Run yum update perl-Capture-Tiny to update your system.

New Packages:

noarch:
    perl-Capture-Tiny-0.24-1.5.amzn1.noarch

src:
    perl-Capture-Tiny-0.24-1.5.amzn1.src

Additional References

Red Hat: CVE-2014-1875

Mitre: CVE-2014-1875