CVE-2011-4116

Publication date 31 January 2020

Last updated 16 September 2025

Ubuntu priority

Why this priority?

Cvss 3 Severity Score

Score breakdown

Description

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
perl	12.10 quantal	Ignored
	12.04 LTS precise	Ignored
	11.10 oneiric	Ignored
	11.04 natty	Ignored end of life
	10.10 maverick	Ignored end of life
	10.04 LTS lucid	Ignored
	8.04 LTS hardy	Ignored
libfile-temp-perl	12.10 quantal	Not in release
	12.04 LTS precise	Not in release
	11.10 oneiric	Ignored
	11.04 natty	Ignored end of life
	10.10 maverick	Ignored end of life
	10.04 LTS lucid	Ignored
	8.04 LTS hardy	Ignored end of life

Notes

seth-arnold

No agreed-upon or released patch exists for _is_safe(). Solar Designer questions the _is_safe() MEDIUM and HIGH checks altogether; attempted patches to check the safety of parent directories forbid /tmp symlinks. It is probably impossible to make _is_safe() secure. Ubuntu symlink and hardlink restrictions should prevent this entire class of problems.

Severity score breakdown

Parameter	Value
Base score	3.3 · Low
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N