CVE-2016-10374

NameCVE-2016-10374
Descriptionperltidy through 20160302, as used by perlcritic, check-all-the-things, and other software, relies on the current working directory for certain output files and does not have a symlink-attack protection mechanism, which allows local users to overwrite arbitrary files by creating a symlink, as demonstrated by creating a perltidy.ERR symlink that the victim cannot delete.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs862667

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
perltidy (PTS)bullseye20200110-1fixed
bookworm20220613-1fixed
sid, trixie20230309-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
perltidysource(unstable)20140328-2862667

Notes

[jessie] - perltidy <no-dsa> (Minor issue; can be fixed via point release)
[wheezy] - perltidy <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems