Updates for these have been built by Funda Wang. Advisory: ======================== Updated perl-PAR and perl-PAR-Packer packages fix security vulnerabilities: The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program (CVE-2011-4114). The par_mktmpdir function in the PAR module before 1.003 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program (CVE-2011-5060). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5060 ======================== Updated packages in core/updates_testing: ======================== perl-PAR-1.2.0-1.1.mga1 perl-PAR-Packer-1.9.0-1.1.mga1 from SRPMS: perl-PAR-1.2.0-1.1.mga1.src.rpm perl-PAR-Packer-1.9.0-1.1.mga1.src.rpm
CC: (none) => fundawang
Thanks, then we can reassign to the QA. (yes you have again some work :D )
Assignee: bugsquad => qa-bugs
Funda you confirm these are ready for testing please. Thanks.
Yes, please test them.
Thanks Funda. Possible testing procedure here - https://bugzilla.redhat.com/show_bug.cgi?id=753955#c9 It looks like it should test both of them.
x86_64 Not sure how to implement this.. Before ------ Created a /tmp/par-<user> directory and chmod'ed to 777 Downloaded a sample script from here http://sifaka.cs.uiuc.edu/czhai/replace.pl $ pp --par replace.pl Usage: pp -t type [-a] [-i input] [-o output] -t type Specify the input type (must be one of private-key, public-key, certificate, certificate-request, pkcs7, crl or name) -a Input is in ascii encoded form (RFC1113) -i input Define an input file to use (default is stdin) -o output Define an output file to use (default is stdout) $ pp -t pkcs7 -o replace -i replace.pl pp: problem converting data (security library: improperly formatted DER-encoded message.) Every other -t setting produces the same output apart from private-key, what am I doing wrong? (Sorry, I don't know perl at all) $ pp -t private-key -o replace -i replace.pl pp: don't know how to print out 'private-key' files
/usr/bin/pp is from the package nss (Netscape Security Services). /usr/bin/pp.pl is from perl-PAR-Packer. strace -f -ostrace.txt pp.pl /usr/sbin/convertsession grep -e tmp -e temp strace.txt|grep open|less All of the temp files seem to have random parts in the names, so I'm not seeing the problem, using the release version of the packages.
CC: (none) => davidwhodgins
Created attachment 1457 [details] helloworld.pl x86_64 Before ------ $ strace -o strace.out pp.pl --par helloworld.pl $ grep tmp strace.out No output $ strace -o strace.out perl -MPAR=./a.par helloworld.pl content-type: text/html Hello, World! $ grep tmp strace.out stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0 stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0 mkdir("/tmp/par-claire", 0755) = -1 EEXIST (File exists) mkdir("/tmp/par-claire/cache-c4e25d77dacf13d36aaf9fcb80292975dfc85720", 0755) = $ strace -o strace.out parl ./a.par content-type: text/html Hello, World! $ grep tmp strace.out Shows alot of use of the randomised cache directory but within the chmod'd 777 /tmp/par-claire/ After ----- $ rm a.out rm: remove regular file `a.out'? y $ strace -o strace.out pp.pl --par helloworld.pl $ grep tmp strace.out $ perl -MPAR=./a.par helloworld.pl private subdirectory /tmp/par-claire is unsafe (please remove it and retry your operation) at /usr/lib/perl5/vendor_perl/5.12.3/PAR/SetupTemp.pm line 117. unable to create cache directory at /usr/lib/perl5/vendor_perl/5.12.3/PAR/SetupTemp.pm line 47. BEGIN failed--compilation aborted. # rm -rf /tmp/par-claire $ strace -o strace.out perl -MPAR=./a.par helloworld.pl content-type: text/html Hello, World! $ grep tmp strace.out stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0 stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0 mkdir("/tmp/par-claire", 0700) = 0 lstat("/tmp/par-claire", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 mkdir("/tmp/par-claire/cache-c4e25d77dacf13d36aaf9fcb80292975dfc85720", 0700) = 0 $ ll /tmp | grep par drwx------ 3 claire claire 4096 Jan 29 15:18 par-claire/ Testing complete x86_64
Testing complete on i586. Could someone from the sysadmin team push the srpms perl-PAR-1.2.0-1.1.mga1.src.rpm perl-PAR-Packer-1.9.0-1.1.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: Updated perl-PAR and perl-PAR-Packer packages fix security vulnerabilities: The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program (CVE-2011-4114). The par_mktmpdir function in the PAR module before 1.003 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program (CVE-2011-5060). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5060 https://bugs.mageia.org/show_bug.cgi?id=4313
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Hardware: i586 => All
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED