[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 --- Comment #11 from Fedora Update System upda...@fedoraproject.org 2011-12-21 11:58:17 EST --- perl-PAR-1.002-5.fc16, perl-PAR-Packer-1.010-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 Bug 753955 depends on bug 760132, which changed state. Bug 760132 Summary: CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=760132 What|Old Value |New Value Resolution||ERRATA Status|ON_QA |CLOSED Bug 753955 depends on bug 753957, which changed state. Bug 753957 Summary: CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=753957 What|Old Value |New Value Status|ON_QA |CLOSED Resolution||ERRATA --- Comment #10 from Fedora Update System upda...@fedoraproject.org 2011-12-21 11:56:51 EST --- perl-PAR-1.002-4.fc15, perl-PAR-Packer-1.008-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 --- Comment #9 from Petr Pisar ppi...@redhat.com 2011-12-06 09:23:39 EST --- How to test: Create /tmp/par-$(USER) directory with 0777 mode (or owned by different user, or create an other user's symlink). Create a PAR archive from a perl script (pp --par SCRIPT). Test perl-PAR by running `perl -MPAR=./a.par SCRIPT'. Test perl-PAR-Packer by running `parl ./a.par'. For unknown reason, you might need perl-PAR-Packer to get running SCRIPT from ./a.par by -MPAR=. For unknown reason, old parl might not work because of perl version mismatch. (This becomes fixed after rebuilding old perl-PAR-Packer against current perl.) -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 Jan Lieskovsky jlies...@redhat.com changed: What|Removed |Added Status Whiteboard|impact=low,public=20110718, |impact=low,public=20110718, |reported=2004,source=os |reported=2004,source=os |s-security,cvss2=1.9/AV:L/A |s-security,cvss2=1.9/AV:L/A |C:M/Au:N/C:N/I:P/A:N,fedora |C:M/Au:N/C:N/I:P/A:N,fedora |-all/perl-PAR-Packer=affect |-all/perl-PAR-Packer=affect |ed |ed,fedora-all/perl-PAR=affe ||cted -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 Jan Lieskovsky jlies...@redhat.com changed: What|Removed |Added CC||jlies...@redhat.com -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 Jan Lieskovsky jlies...@redhat.com changed: What|Removed |Added Depends on||760132 --- Comment #6 from Jan Lieskovsky jlies...@redhat.com 2011-12-05 08:59:21 EST --- Created perl-PAR tracking bugs for this issue Affects: fedora-all [bug 760132] -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 --- Comment #4 from Petr Pisar ppi...@redhat.com 2011-12-02 09:48:55 EST --- Upstream has released PAR-Packer-1.011 with respect to this vulnerability. It states in change log this version fixes this issue: [Changes for 1.011 - Dec 1, 2011] * Bug fixes, etc. - RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 - if it already exists, make sure that (and bail out if not) - it's not a symlink - it's mode 0700 - it's owned by USER - depend on PAR 1.004 (which contains the other half of the fix for CVE-2011-4114) and that complete fix requires PAR-1.004 (advertised here in commet #2). As you can see upstream does not check path components. Is this fix sufficient? In my opinion, it is. I think any code needs a safe entry point and assumptions parent directory is safe is one of this. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 Petr Pisar ppi...@redhat.com changed: What|Removed |Added CC||ppi...@redhat.com --- Comment #2 from Petr Pisar ppi...@redhat.com 2011-12-01 09:18:18 EST --- `PAR' (http://search.cpan.org/~rschupp/PAR/, packaged as perl-PAR in Fedora) author recognized this vulnerability in PAR too (this is related but different piece of code from PAR::Packer) and fixed it in version 1.003: [Changes for 1.003 - Nov 28, 2011] - RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories (Note: this bug was originally reported against PAR::Packer, but it applies to PAR as well) - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 - if it already exists, make sure that (and bail out if not) - it's not a symlink - it's mode 0700 - it's owned by USER Fixed perl-PAR version is available in F17 only at this moment. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 Vincent Danen vda...@redhat.com changed: What|Removed |Added CC||fedora-perl-devel-list@redh ||at.com, mmasl...@redhat.com -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel