Bug 758866 (CVE-2011-4363)

Summary: CVE-2011-4363 perl-Proc-ProcessTable: unsafe temporary file usage
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andreas, jlieskov, jrusnack, perl-devel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20111130,reported=20111130,source=debian,cvss2=3.3/AV:L/AC:M/Au:N/C:N/I:P/A:P,epel-all/perl-Proc-ProcessTable=affected,fedora-all/perl-Proc-ProcessTable=affected,cwe=CWE-377
Fixed In Version: perl-Proc-ProcessTable 0.48 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-08 17:21:11 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 758868, 758869    
Bug Blocks:    

Description Vincent Danen 2011-11-30 15:52:03 EST
It was reported [1] that the perl Proc::ProcessTable module would cache TTY information insecurely, using the predictable file name /tmp/TTYDEVS, which could allow an attacker to overwrite arbitrary files due to a race condition.  Caching is not enabled by default.

The relevant codepath can be reached using:

$ perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'

The flaw is in ProcessTable.pm:

102       if( -r $TTYDEVSFILE )
103       {
104         $_ = Storable::retrieve($TTYDEVSFILE);
  [...]
107       else
108       {
  [...]
112         Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650500
Comment 1 Vincent Danen 2011-11-30 15:53:50 EST
0.45 is the latest upstream version and was released in 2008; I don't think upstream will be providing a fix for this judging by the number of open bug reports.

A CVE was also requested:

http://seclists.org/oss-sec/2011/q4/439
Comment 2 Vincent Danen 2011-11-30 15:54:29 EST
Created perl-Proc-ProcessTable tracking bugs for this issue

Affects: epel-all [bug 758868]
Affects: fedora-all [bug 758869]
Comment 3 Vincent Danen 2011-11-30 16:04:28 EST
This was assigned the name CVE-2011-4363:

http://seclists.org/oss-sec/2011/q4/440
Comment 5 Vincent Danen 2013-07-24 13:11:23 EDT
This looks to be the fix:

https://github.com/jwbargsten/perl-proc-processtable/commit/89f27a6d47df79b8bdb93781ba3247d7a5123165

And is corrected in upstream version 0.48
Comment 6 Fedora Update System 2013-08-02 17:52:09 EDT
perl-Proc-ProcessTable-0.48-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-08-02 18:02:17 EDT
perl-Proc-ProcessTable-0.48-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.