Bug 12157 - perl-Proc-Daemon new security issue CVE-2013-7135
: perl-Proc-Daemon new security issue CVE-2013-7135
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/578247/
: has_procedure advisory MGA3-32-OK mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-12-30 18:22 CET by David Walser
Modified: 2014-01-24 22:10 CET (History)
4 users (show)

See Also:
Source RPM: perl-Proc-Daemon-0.140.0-3.mga4.src.rpm
CVE:


Attachments

Description David Walser 2013-12-30 18:22:40 CET
Fedora has issued an advisory on December 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html

They added a patch, which they got from Debian:
http://pkgs.fedoraproject.org/cgit/perl-Proc-Daemon.git/plain/debian_patches_pid.patch?h=f20&id=5ada3df9dabda58b75aed045c00193fe2a35c267

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-01-06 22:30:33 CET
Fixed in Cauldron in perl-Proc-Daemon-0.140.0-4.mga4 by Guillaume Rousse.
Comment 2 David Walser 2014-01-06 22:36:46 CET
Patched package uploaded for Mageia 3.

Advisory:
========================

Updated perl-Proc-Daemon package fixes security vulnerability:

It was reported that perl-Proc-Daemon, when instructed to write a pid file,
does that with a umask set to 0, so the pid file ends up with mode 666,
allowing any user on the system to overwrite it (CVE-2013-7135).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7135
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html
========================

Updated packages in core/updates_testing:
========================
perl-Proc-Daemon-0.140.0-2.1.mga3

from perl-Proc-Daemon-0.140.0-2.1.mga3.src.rpm
Comment 3 Samuel Verschelde 2014-01-21 17:47:15 CET
Patch is a one-liner, not much risk of regression.

-            umask 0;
+            umask 066;
Comment 4 Samuel Verschelde 2014-01-21 17:58:18 CET
Testing ok i586.

------- test.pl -----------
#!/bin/perl

use Proc::Daemon;

$daemon = Proc::Daemon->new(
  pid_file => '/tmp/pid.txt'
);

$Kid_1_PID = $daemon->Init;
----------------------------

$ perl test.pl

=> creates /tmp/pid.txt with mode 666

After installing the update candidate, removing /tmp/pid.txt and trying again, mode is 600.
Comment 5 claire robinson 2014-01-21 18:12:26 CET
Thanks Samuel

Testing complete mga3 64

Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates.

Thanks
Comment 6 Thomas Backlund 2014-01-24 22:10:12 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0025.html

Note You need to log in before you can comment on or make changes to this bug.