Bug 12157 - perl-Proc-Daemon new security issue CVE-2013-7135
Summary: perl-Proc-Daemon new security issue CVE-2013-7135
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/578247/
Whiteboard: has_procedure advisory MGA3-32-OK mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-12-30 18:22 CET by David Walser
Modified: 2014-01-24 22:10 CET (History)
4 users (show)

See Also:
Source RPM: perl-Proc-Daemon-0.140.0-3.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-12-30 18:22:40 CET 
Fedora has issued an advisory on December 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html

They added a patch, which they got from Debian:
http://pkgs.fedoraproject.org/cgit/perl-Proc-Daemon.git/plain/debian_patches_pid.patch?h=f20&id=5ada3df9dabda58b75aed045c00193fe2a35c267

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-30 18:22:49 CET

Blocks: (none) => 11726
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-06 22:30:33 CET 
Fixed in Cauldron in perl-Proc-Daemon-0.140.0-4.mga4 by Guillaume Rousse.

Version: Cauldron => 3
Blocks: 11726 => (none)
Whiteboard: MGA3TOO => (none)

Comment 2 David Walser 2014-01-06 22:36:46 CET 
Patched package uploaded for Mageia 3.

Advisory:
========================

Updated perl-Proc-Daemon package fixes security vulnerability:

It was reported that perl-Proc-Daemon, when instructed to write a pid file,
does that with a umask set to 0, so the pid file ends up with mode 666,
allowing any user on the system to overwrite it (CVE-2013-7135).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7135
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125133.html
========================

Updated packages in core/updates_testing:
========================
perl-Proc-Daemon-0.140.0-2.1.mga3

from perl-Proc-Daemon-0.140.0-2.1.mga3.src.rpm

CC: (none) => jquelin
Assignee: jquelin => qa-bugs

Comment 3 Samuel Verschelde 2014-01-21 17:47:15 CET 
Patch is a one-liner, not much risk of regression.

-            umask 0;
+            umask 066;

CC: (none) => stormi

Comment 4 Samuel Verschelde 2014-01-21 17:58:18 CET 
Testing ok i586.

------- test.pl -----------
#!/bin/perl

use Proc::Daemon;

$daemon = Proc::Daemon->new(
  pid_file => '/tmp/pid.txt'
);

$Kid_1_PID = $daemon->Init;
----------------------------

$ perl test.pl

=> creates /tmp/pid.txt with mode 666

After installing the update candidate, removing /tmp/pid.txt and trying again, mode is 600.

Whiteboard: (none) => has_procedure MGA3-32-OK

Comment 5 claire robinson 2014-01-21 18:12:26 CET 
Thanks Samuel

Testing complete mga3 64

Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates.

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-32-OK => has_procedure advisory MGA3-32-OK mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-01-24 22:10:12 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0025.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.