Bug 12652

Summary: perl-Capture-Tiny new security issue CVE-2014-1875
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jquelin, mageia, napcok, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/586337/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Source RPM: perl-Capture-Tiny-0.210.0-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-02-07 17:01:40 CET 
An insecure /tmp file issue was reported for perl-Capture-Tiny:
http://openwall.com/lists/oss-security/2014/02/06/10

It was assigned CVE-2014-1875:
http://openwall.com/lists/oss-security/2014/02/07/1

The issue is fixed upstream in 0.24, as noted in the Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737835

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-07 17:01:49 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-02-10 08:58:43 CET 
Cauldron updated to latest version.
MGA4 and MGA3 patched and submitted. David, I hope you take care of the rest :)

CC: (none) => mageia
Hardware: i586 => All
Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 David Walser 2014-02-10 15:49:17 CET 
Yes, thanks Sander!

Advisory:
========================

Updated perl-Capture-Tiny packages fix security vulnerability:

perl-Capture-Tiny before 0.24 used files in /tmp in an insecure manner
(CVE-2014-1875).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1875
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737835
========================

Updated packages in core/updates_testing:
========================
perl-Capture-Tiny-0.210.0-2.1.mga3
perl-Capture-Tiny-0.220.0-2.1.mga4

from SRPMS:
perl-Capture-Tiny-0.210.0-2.1.mga3.src.rpm
perl-Capture-Tiny-0.220.0-2.1.mga4.src.rpm

CC: (none) => jquelin
Assignee: jquelin => qa-bugs

Comment 3 David Walser 2014-02-12 22:16:03 CET 
Testing complete on Mageia 3 and Mageia 4 i586.

Testing procedure, save this script as tiny.pl:
######################
use Capture::Tiny ':all';
$cmd = "/usr/bin/ls";
@args = @ARGV;
($stdout, $stderr, $exit) = capture {
  system($cmd, @args);
};
print "STDOUT\n";
print $stdout;
print "STDERR\n";
print $stderr;
print "EXIT: ";
print $exit . "\n";
#######################

Then you can use the script just like the ls command, and it will print out the standard output, error, and exit status all neatly sorted out.  I ran it in a directory that had a file FC4.txt but no file called oof.

$ perl tiny.pl oof FC4.txt
STDOUT
FC4.txt
STDERR
/usr/bin/ls: cannot access oof: No such file or directory
EXIT: 512
$ perl tiny.pl FC4.txt
STDOUT
FC4.txt
STDERR
EXIT: 0
$

Whiteboard: MGA3TOO => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 4 Daniel Napora 2014-02-13 13:09:31 CET 
Testing complete on Mageia 4 x86_64.

CC: (none) => napcok
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Comment 5 RĂ©mi Verschelde 2014-02-13 15:27:51 CET 
Testing complete on Mageia 3 x86_64 following the procedure in comment 3.

Validating update. Advisory has been uploaded, please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Thomas Backlund 2014-02-13 21:08:32 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0068.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-02-14 18:52:58 CET

URL: (none) => http://lwn.net/Vulnerabilities/586337/