Fedora 24: Security Update for Perltidy - Symlink Attack Risk

Perltidy is a Perl script that indents and re-formats Perl scripts to

make them easier to read. If you write Perl scripts, or spend much

time reading them, you will probably find it useful. The formatting

can be controlled with command line parameters. The default parameter

settings approximately follow the suggestions in the Perl Style Guide.

Perltidy can also output HTML of both POD and source code. Besides

re-formatting scripts, Perltidy can be a great help in tracking down

errors with missing or extra braces, parentheses, and square brackets

because it is very good at localizing errors.

Cumulative bug-fix, enhancement and security update, including fix for

CVE-2016-10374: perltidy relies on the current working directory for certain

output files and did not have a symlink-attack protection mechanism, which

allowed local users to overwrite arbitrary files by creating a symlink, as

demonstrated by creating a perltidy.ERR symlink that the victim could not

delete.

[ 1 ] Bug #1452050 - CVE-2016-10374 perltidy: Uses current working directory without symlink-attack protection

https://bugzilla.redhat.com/show_bug.cgi?id=1452050

su -c 'dnf upgrade perltidy' at the command line.

For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org