Fedora has issued an advisory on December 20:
They added a patch, which they got from Debian:
Steps to Reproduce:
Fixed in Cauldron in perl-Proc-Daemon-0.140.0-4.mga4 by Guillaume Rousse.
Patched package uploaded for Mageia 3.
Updated perl-Proc-Daemon package fixes security vulnerability:
It was reported that perl-Proc-Daemon, when instructed to write a pid file,
does that with a umask set to 0, so the pid file ends up with mode 666,
allowing any user on the system to overwrite it (CVE-2013-7135).
Updated packages in core/updates_testing:
Patch is a one-liner, not much risk of regression.
- umask 0;
+ umask 066;
Testing ok i586.
------- test.pl -----------
$daemon = Proc::Daemon->new(
pid_file => '/tmp/pid.txt'
$Kid_1_PID = $daemon->Init;
$ perl test.pl
=> creates /tmp/pid.txt with mode 666
After installing the update candidate, removing /tmp/pid.txt and trying again, mode is 600.
Testing complete mga3 64
Advisory uploaded. Validating.
Could sysadmin please push from 3 core/updates_testing to updates.
has_procedure MGA3-32-OK =>
has_procedure advisory MGA3-32-OK mga3-64-okCC: