| Summary: | perl PAR modules unsafe use of /tmp (CVE-2011-4114 and CVE-2011-5060) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, fundawang, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | perl-PAR-1.2.0-1.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | helloworld.pl | ||
|
Description
David Walser
2012-01-28 12:57:42 CET
David Walser
2012-01-28 12:57:55 CET
CC:
(none) =>
fundawang Thanks, then we can reassign to the QA. (yes you have again some work :D ) Assignee:
bugsquad =>
qa-bugs Funda you confirm these are ready for testing please. Thanks. Yes, please test them. Thanks Funda. Possible testing procedure here - https://bugzilla.redhat.com/show_bug.cgi?id=753955#c9 It looks like it should test both of them. x86_64 Not sure how to implement this.. Before ------ Created a /tmp/par-<user> directory and chmod'ed to 777 Downloaded a sample script from here http://sifaka.cs.uiuc.edu/czhai/replace.pl $ pp --par replace.pl Usage: pp -t type [-a] [-i input] [-o output] -t type Specify the input type (must be one of private-key, public-key, certificate, certificate-request, pkcs7, crl or name) -a Input is in ascii encoded form (RFC1113) -i input Define an input file to use (default is stdin) -o output Define an output file to use (default is stdout) $ pp -t pkcs7 -o replace -i replace.pl pp: problem converting data (security library: improperly formatted DER-encoded message.) Every other -t setting produces the same output apart from private-key, what am I doing wrong? (Sorry, I don't know perl at all) $ pp -t private-key -o replace -i replace.pl pp: don't know how to print out 'private-key' files /usr/bin/pp is from the package nss (Netscape Security Services). /usr/bin/pp.pl is from perl-PAR-Packer. strace -f -ostrace.txt pp.pl /usr/sbin/convertsession grep -e tmp -e temp strace.txt|grep open|less All of the temp files seem to have random parts in the names, so I'm not seeing the problem, using the release version of the packages. CC:
(none) =>
davidwhodgins Created attachment 1457 [details]
helloworld.pl
x86_64
Before
------
$ strace -o strace.out pp.pl --par helloworld.pl
$ grep tmp strace.out
No output
$ strace -o strace.out perl -MPAR=./a.par helloworld.pl
content-type: text/html
Hello, World!
$ grep tmp strace.out
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0
mkdir("/tmp/par-claire", 0755) = -1 EEXIST (File exists)
mkdir("/tmp/par-claire/cache-c4e25d77dacf13d36aaf9fcb80292975dfc85720", 0755) =
$ strace -o strace.out parl ./a.par
content-type: text/html
Hello, World!
$ grep tmp strace.out
Shows alot of use of the randomised cache directory but within the chmod'd 777 /tmp/par-claire/
After
-----
$ rm a.out
rm: remove regular file `a.out'? y
$ strace -o strace.out pp.pl --par helloworld.pl
$ grep tmp strace.out
$ perl -MPAR=./a.par helloworld.pl
private subdirectory /tmp/par-claire is unsafe (please remove it and retry your operation) at /usr/lib/perl5/vendor_perl/5.12.3/PAR/SetupTemp.pm line 117.
unable to create cache directory at /usr/lib/perl5/vendor_perl/5.12.3/PAR/SetupTemp.pm line 47.
BEGIN failed--compilation aborted.
# rm -rf /tmp/par-claire
$ strace -o strace.out perl -MPAR=./a.par helloworld.pl
content-type: text/html
Hello, World!
$ grep tmp strace.out
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0
mkdir("/tmp/par-claire", 0700) = 0
lstat("/tmp/par-claire", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
mkdir("/tmp/par-claire/cache-c4e25d77dacf13d36aaf9fcb80292975dfc85720", 0700) = 0
$ ll /tmp | grep par
drwx------ 3 claire claire 4096 Jan 29 15:18 par-claire/
Testing complete x86_64
Testing complete on i586. Could someone from the sysadmin team push the srpms perl-PAR-1.2.0-1.1.mga1.src.rpm perl-PAR-Packer-1.9.0-1.1.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: Updated perl-PAR and perl-PAR-Packer packages fix security vulnerabilities: The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program (CVE-2011-4114). The par_mktmpdir function in the PAR module before 1.003 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program (CVE-2011-5060). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5060 https://bugs.mageia.org/show_bug.cgi?id=4313 Keywords:
(none) =>
validated_update
David Walser
2012-01-29 21:04:01 CET
Hardware:
i586 =>
All update pushed Status:
NEW =>
RESOLVED |