Comments (9)
stigtsp
commented on August 12, 2024
1
Some context for the above: Added the patches from #40 that removes the state files feature to nixpkgs, and tests for all reverse dependencies ran fine.
Removing the state files seems like a reasonable fix to me, unless I'm missing something.
from data-uuid.
timretout
commented on August 12, 2024
I have requested a CVE id from oss-security, and I will come back and update the report when one is assigned.
from data-uuid.
rjbs
commented on August 12, 2024
I really don't do anything on this library but apply patches. It's been without a dedicated maintainer almost since release. A patch for this issue would be appreciated.
from data-uuid.
karenetheridge
commented on August 12, 2024
We should really fix this. A lot of production code uses it.
from data-uuid.
eserte
commented on August 12, 2024
Anyway, what's the intention of these /tmp/.UUID* files? Maybe performance is the reason --- but actually, if all file operations were removed from UUID.xs, then constructing a Data::UUID object and run create_str() once is faster than before, at least on my linux system.
from data-uuid.
rjbs
commented on August 12, 2024
I'm afraid I don't know. I really have never really read this code carefully. I have just been the de facto "apply patches, do test release, release afterward" person.
from data-uuid.
tecordes
commented on August 12, 2024
Hi, I'm new to github, but a dev of 30 years. I have attempted a fix of this issue as it drives me nuts. I have attempted to get my commit/patch to link to this issue, I think it worked? No idea what I have to do now.
Anyhow you can see my changes in my commit link. My idea is to change from using tmp to using ENV{HOME}, with a fallback to tmp. And some other minor related tweaks. It's all done in C in the XS, not in perl or the makefile.
from data-uuid.
briandfoy
commented on August 12, 2024
I looked at the merged commit, and wonder if this is still insecure. The attacker can still chose to have the file created in /tmp by choosing the value for $HOME. The filenames are still completely known, which is a big part of the problem.
As Slavic said, get rid of the external file altogether so there's no problem with files.
Typically, I've seen these steps for dealing with temp file race conditions:
- Add a varying and random part to the name. This should be hard to guess.
- Fail if the file already exists.
- Use
lstatensure that you have the file you think you do. Fail if you have a symlink.
from data-uuid.
stigtsp
commented on August 12, 2024
from data-uuid.
Related Issues (20)
- MD5 is used when SHA-1 should be used instead HOT 2
- compile Data::UUID on intel mac using older xcode cmdline tools. HOT 1
- There are active bug reports in rt.cpan.org HOT 1
- support for v5 SHA1 UUID HOT 2
- v4 vs v3 UUID on AWSLinux & CentOS HOT 6
- Doesn't compile on Win64 Strawberry Perl HOT 3
- from_string Miss-Parses Spaces
- very occasional failures with threads HOT 1
- make _STDIR a variable based on File::Spec->tmpdir
- Can't build on Windows strawberry-perl-5.26.0 32/64bit HOT 7
- Unmatched license HOT 2
- Duplicate UUIDs are generated after forking HOT 1
- Install failed on Windows 64bit with strawberry Perl 5.28 HOT 3
- Cannot compile on Haiku OS with gcc 7 HOT 1
- use of state files .UUID_STATE not documented HOT 2
- emit strings lowercased, as per rfc4122
- Segmentation fault HOT 2
- Licence clarification
- Update cpan-security-advisory on next release HOT 1
- Data::UUID->new->from_string(4) doesn't always throw an error. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from data-uuid.