CVE-2016-10374

Name of the Vulnerable Software and Affected Versions perltidy versions prior to 20160302 perlcritic (affected versions not specified) check-all-the-things (affected versions not specified)

Description The issue allows local users to overwrite arbitrary files by creating a symlink. This can be demonstrated by creating a perltidy.ERR symlink that the victim cannot delete. The problem arises because perltidy relies on the current working directory for certain output files and lacks a symlink-attack protection mechanism.

Recommendations For perltidy versions prior to 20160302, consider updating to a version that includes a symlink-attack protection mechanism. For perlcritic, check-all-the-things, and other affected software, restrict access to the vulnerable perltidy component until a patch is available. As a temporary workaround, consider disabling the use of perltidy for output files that rely on the current working directory until a patch is available.