Bug 753955 (CVE-2011-4114, CVE-2011-5060)

Summary: CVE-2011-4114 CVE-2011-5060 perl-PAR-Packer/perl-PAR: insecure temporary directory handling
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, mmaslano, perl-devel, ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 17:48:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 753957, 760132    
Bug Blocks:    
Attachments:
Description Flags
Fix for perl-PAR
none
Fix for perl-PAR-Packer ported to 1.010 version none

Description Vincent Danen 2011-11-14 22:54:07 UTC 
It was reported [1] that PAR::Packer's par_mktmpdir() function would create /tmp/par-[username] directories insecurely, which could allow a local attacker to make changes to the cache directory and possibly the PAR-packged program.  PAR::Packer does not verify that the user owns the directory, nor does it create it with secure permissions.

Upstream's response is to use per-user temporary directories, so there is currently no upstream patch.

[1] https://rt.cpan.org/Public/Bug/Display.html?id=69560
Comment 1 Vincent Danen 2011-11-14 22:55:44 UTC 
Created perl-PAR-Packer tracking bugs for this issue

Affects: fedora-all [bug 753957]
Comment 2 Petr Pisar 2011-12-01 14:18:18 UTC 
`PAR' (<http://search.cpan.org/~rschupp/PAR/>, packaged as perl-PAR in Fedora) author recognized this vulnerability in PAR too (this is related but different piece of code from PAR::Packer) and fixed it in version 1.003:

[Changes for 1.003 - Nov 28, 2011]
  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     (Note: this bug was originally reported against PAR::Packer, but
     it applies to PAR as well)
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER

Fixed perl-PAR version is available in F17 only at this moment.
Comment 3 Petr Pisar 2011-12-01 14:52:57 UTC 
Created attachment 539232 [details]
Fix for perl-PAR

This is fix for this issue extracted from PAR upstream development tree (as can be seen in PAR-1.004).
Comment 4 Petr Pisar 2011-12-02 14:48:55 UTC 
Upstream has released PAR-Packer-1.011 with respect to this vulnerability. It states in change log this version fixes this issue:

[Changes for 1.011 - Dec 1, 2011]
* Bug fixes, etc.

  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER

  - depend on PAR 1.004 (which contains the other half of the
    fix for CVE-2011-4114)

and that complete fix requires PAR-1.004 (advertised here in commet #2).

As you can see upstream does not check path components. Is this fix sufficient? In my opinion, it is. I think any code needs a safe entry point and assumptions parent directory is safe is one of this.
Comment 6 Jan Lieskovsky 2011-12-05 13:59:21 UTC 
Created perl-PAR tracking bugs for this issue

Affects: fedora-all [bug 760132]
Comment 8 Petr Pisar 2011-12-06 14:05:44 UTC 
Created attachment 541406 [details]
Fix for perl-PAR-Packer ported to 1.010 version
Comment 9 Petr Pisar 2011-12-06 14:23:39 UTC 
How to test:

Create /tmp/par-$(USER) directory with 0777 mode (or owned by different user, or create an other user's symlink). Create a PAR archive from a perl script (pp --par SCRIPT).

Test perl-PAR by running `perl -MPAR=./a.par SCRIPT'. Test perl-PAR-Packer by running `parl ./a.par'.

For unknown reason, you might need perl-PAR-Packer to get running SCRIPT from ./a.par by -MPAR=.

For unknown reason, old parl might not work because of perl version mismatch. (This becomes fixed after rebuilding old perl-PAR-Packer against current perl.)
Comment 10 Fedora Update System 2011-12-21 16:56:51 UTC 
perl-PAR-1.002-4.fc15, perl-PAR-Packer-1.008-4.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2011-12-21 16:58:17 UTC 
perl-PAR-1.002-5.fc16, perl-PAR-Packer-1.010-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Vincent Danen 2012-01-13 20:21:21 UTC 
CVE-2011-4114 is specific to PAR::Packer and CVE-2011-5060 was assigned specifically to PAR.