Bug 1062424 (CVE-2014-1875)

Summary: CVE-2014-1875 perl-Capture-Tiny: insecure temporary file usage
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: drieden, jplesnik, mmaslano, mmcgrath, nobody+bgollahe, perl-devel, perl-maint-list, ppisar, psabata, tdawson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-Capture-Tiny 0.24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-01 02:20:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1062426, 1062427, 1063306    
Bug Blocks: 1062425    

Description Martin Prpič 2014-02-06 22:03:29 UTC 
It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files:

./lib/Capture/Tiny.pm:  $stash->{flag_files}{$which} = scalar tmpnam();

This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module.

This issue has been reported upstream [2], but has not yet been fixed.

[1] http://seclists.org/oss-sec/2014/q1/267
[2] https://github.com/dagolden/Capture-Tiny/issues/16
Comment 2 Martin Prpič 2014-02-06 22:16:46 UTC 
Created perl-Capture-Tiny tracking bugs for this issue:

Affects: fedora-all [bug 1062426]
Comment 3 Murray McAllister 2014-02-07 05:59:29 UTC 
This issue was assigned CVE-2014-1875: http://seclists.org/oss-sec/2014/q1/272
Comment 4 Petr Pisar 2014-02-10 07:27:09 UTC 
Reproducer:

$ strace -fq -e open -- perl -MCapture::Tiny -e 'Capture::Tiny::tee_stdout { print qq{foo\n} }' 2>&1 | grep 'O_CREAT' | grep -v O_EXCL
[pid  8578] open("/tmp/uAM1hQ9lbl", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3

There shouldn't be any open(, O_CREAT) without O_EXCL.

Fixed with upstream commit <https://github.com/dagolden/Capture-Tiny/commit/635c9eabd52ab8042b0c841823bd6e692de87924> and released in 0.24 <http://cpansearch.perl.org/src/DAGOLDEN/Capture-Tiny-0.24/Changes>. This fix creates new files with O_EXCL flag.
Comment 6 Fedora Update System 2014-02-22 00:49:43 UTC 
perl-Capture-Tiny-0.24-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-02-22 01:00:27 UTC 
perl-Capture-Tiny-0.24-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.