A CVE was assigned for an insecure temporary file issue in perl-XML-DT: http://openwall.com/lists/oss-security/2014/08/15/8 The issue is fixed upstream in 0.66. Mageia 4 also has the issue, but tmpfile issues aren't a real security problem on newer kernels. Reproducible: Steps to Reproduce:
CC: (none) => mageia
Updated to 0.66 since there are no new deps. New packages available in core/updates_testing: - perl-XML-DT-0.660.0-1.mga3 - perl-XML-DT-0.660.0-1.mga4 Please test & push Advisory: ======================================== The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file. This new perl-XML-DT package fixes the problem. ======================================== thanks.
CC: (none) => jquelinAssignee: jquelin => qa-bugs
Added deps are not a problem now Jerome, TBWNWDNM was resolved in mga3 \o/
Advisory: ======================== Updated perl-XML-DT package fixes security vulnerability: The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file (CVE-2014-5260). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5260 http://openwall.com/lists/oss-security/2014/08/15/8
Version: 3 => 4Whiteboard: (none) => MGA3TOO
Testing complete mga3 32 Involves file naming with /usr/bin/mkxmltype and /usr/bin/mkdtskel https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756566 Before ------ $ grep tmp /usr/bin/mkdtskel system("head -$lines $filename | xmllint --recover - > /tmp/_xml_$$"); $filename = "/tmp/_xml_$$"; unlink("/tmp/_xml_$$") if $lines; $ grep tmp /usr/bin/mkxmltype system("head -$lines $fname | xmllint --recover - > /tmp/_xml_$$"); $fname = "/tmp/_xml_$$"; unlink("/tmp/_xml_$$") if $lines; After ----- $ grep tmp /usr/bin/mkdtskel my $tmpfile = File::Temp->new( UNLINK => 0 )->filename; system("head -$lines $filename | xmllint --recover - > $tmpfile"); $filename = $tmpfile; $ grep tmp /usr/bin/mkxmltype my $tmpfile = File::Temp->new( UNLINK => 0 )->filename; system("head -$lines $fname | xmllint --recover - > $tmpfile"); $fname = $tmpfile; Testing functionality with random xml file... $ cat testdata.xml <?xml version="1.0" encoding="UTF-8"?> <testsuites tests="10" failures="0" disabled="0" errors="0" time="0.001" name="AllTests"> <testsuite name="TestOne" tests="5" failures="0" disabled="0" errors="0" time="0.001"> <testcase name="DefaultConstructor" status="run" time="0" classname="TestOne" /> <testcase name="DefaultDestructor" status="run" time="0" classname="TestOne" /> <testcase name="VHDL_EMIT_Passthrough" status="run" time="0" classname="TestOne" /> <testcase name="VHDL_BUILD_Passthrough" status="Tested OK" time="0" classname="TestOne" /> <testcase name="VHDL_SIMULATE_Passthrough" status="run" time="0.001" classname="TestOne" /> </testsuite> </testsuites> $ mkdtskel testdata.xml #!/usr/bin/perl use XML::DT; use warnings; use strict; my $filename = shift; # Variable Reference # # $c - contents after child processing # $q - element name (tag) # %v - hash of attributes my %handler=( # '-outputenc' => 'ISO-8859-1', # '-default' => sub{"<$q>$c</$q>"}, 'testcase' => sub{ }, # 5 occurrences; attributes: status, time, name, classname 'testsuite' => sub{ }, # 1 occurrences; attributes: failures, disabled, errors, tests, time, name 'testsuites' => sub{ }, # 1 occurrences; attributes: failures, disabled, errors, tests, time, name ); print dt($filename, %handler); $ mkxmltype testdata.xml # testsuites ...Fri Sep 26 14:49:09 2014 testsuites => testsuite * failures * disabled * errors * tests * time * name testsuite => seq(testcase) * failures * disabled * errors * tests * time * name testcase => empty * status * time * name * classname
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok
*/tmp file naming
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga4 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory from comment 3 uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0390.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/614049/