Fedora has issued an advisory on December 20: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html They added a patch, which they got from Debian: http://pkgs.fedoraproject.org/cgit/perl-Proc-Daemon.git/plain/debian_patches_pid.patch?h=f20&id=5ada3df9dabda58b75aed045c00193fe2a35c267 Reproducible: Steps to Reproduce:
Blocks: (none) => 11726Whiteboard: (none) => MGA3TOO
Fixed in Cauldron in perl-Proc-Daemon-0.140.0-4.mga4 by Guillaume Rousse.
Version: Cauldron => 3Blocks: 11726 => (none)Whiteboard: MGA3TOO => (none)
Patched package uploaded for Mageia 3. Advisory: ======================== Updated perl-Proc-Daemon package fixes security vulnerability: It was reported that perl-Proc-Daemon, when instructed to write a pid file, does that with a umask set to 0, so the pid file ends up with mode 666, allowing any user on the system to overwrite it (CVE-2013-7135). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7135 https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html ======================== Updated packages in core/updates_testing: ======================== perl-Proc-Daemon-0.140.0-2.1.mga3 from perl-Proc-Daemon-0.140.0-2.1.mga3.src.rpm
CC: (none) => jquelinAssignee: jquelin => qa-bugs
Patch is a one-liner, not much risk of regression. - umask 0; + umask 066;
CC: (none) => stormi
Testing ok i586. ------- test.pl ----------- #!/bin/perl use Proc::Daemon; $daemon = Proc::Daemon->new( pid_file => '/tmp/pid.txt' ); $Kid_1_PID = $daemon->Init; ---------------------------- $ perl test.pl => creates /tmp/pid.txt with mode 666 After installing the update candidate, removing /tmp/pid.txt and trying again, mode is 600.
Whiteboard: (none) => has_procedure MGA3-32-OK
Thanks Samuel Testing complete mga3 64 Advisory uploaded. Validating. Could sysadmin please push from 3 core/updates_testing to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA3-32-OK => has_procedure advisory MGA3-32-OK mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0025.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED