Bug 12157

Summary: perl-Proc-Daemon new security issue CVE-2013-7135
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jquelin, stormi-mageia, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/578247/
Whiteboard: has_procedure advisory MGA3-32-OK mga3-64-ok
Source RPM: perl-Proc-Daemon-0.140.0-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2013-12-30 18:22:40 CET 
Fedora has issued an advisory on December 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html

They added a patch, which they got from Debian:
http://pkgs.fedoraproject.org/cgit/perl-Proc-Daemon.git/plain/debian_patches_pid.patch?h=f20&id=5ada3df9dabda58b75aed045c00193fe2a35c267

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-30 18:22:49 CET

Blocks: (none) => 11726
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-06 22:30:33 CET 
Fixed in Cauldron in perl-Proc-Daemon-0.140.0-4.mga4 by Guillaume Rousse.

Version: Cauldron => 3
Blocks: 11726 => (none)
Whiteboard: MGA3TOO => (none)

Comment 2 David Walser 2014-01-06 22:36:46 CET 
Patched package uploaded for Mageia 3.

Advisory:
========================

Updated perl-Proc-Daemon package fixes security vulnerability:

It was reported that perl-Proc-Daemon, when instructed to write a pid file,
does that with a umask set to 0, so the pid file ends up with mode 666,
allowing any user on the system to overwrite it (CVE-2013-7135).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7135
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html
========================

Updated packages in core/updates_testing:
========================
perl-Proc-Daemon-0.140.0-2.1.mga3

from perl-Proc-Daemon-0.140.0-2.1.mga3.src.rpm

CC: (none) => jquelin
Assignee: jquelin => qa-bugs

Comment 3 Samuel Verschelde 2014-01-21 17:47:15 CET 
Patch is a one-liner, not much risk of regression.

-            umask 0;
+            umask 066;

CC: (none) => stormi

Comment 4 Samuel Verschelde 2014-01-21 17:58:18 CET 
Testing ok i586.

------- test.pl -----------
#!/bin/perl

use Proc::Daemon;

$daemon = Proc::Daemon->new(
  pid_file => '/tmp/pid.txt'
);

$Kid_1_PID = $daemon->Init;
----------------------------

$ perl test.pl

=> creates /tmp/pid.txt with mode 666

After installing the update candidate, removing /tmp/pid.txt and trying again, mode is 600.

Whiteboard: (none) => has_procedure MGA3-32-OK

Comment 5 claire robinson 2014-01-21 18:12:26 CET 
Thanks Samuel

Testing complete mga3 64

Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates.

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-32-OK => has_procedure advisory MGA3-32-OK mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-01-24 22:10:12 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0025.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED