Bug 758866 (CVE-2011-4363)

Summary: CVE-2011-4363 perl-Proc-ProcessTable: unsafe temporary file usage
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andreas, jlieskov, jrusnack, perl-devel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-Proc-ProcessTable 0.48 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-08 21:21:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 758868, 758869    
Bug Blocks:    

Description Vincent Danen 2011-11-30 20:52:03 UTC 
It was reported [1] that the perl Proc::ProcessTable module would cache TTY information insecurely, using the predictable file name /tmp/TTYDEVS, which could allow an attacker to overwrite arbitrary files due to a race condition.  Caching is not enabled by default.

The relevant codepath can be reached using:

$ perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'

The flaw is in ProcessTable.pm:

102       if( -r $TTYDEVSFILE )
103       {
104         $_ = Storable::retrieve($TTYDEVSFILE);
  [...]
107       else
108       {
  [...]
112         Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650500
Comment 1 Vincent Danen 2011-11-30 20:53:50 UTC 
0.45 is the latest upstream version and was released in 2008; I don't think upstream will be providing a fix for this judging by the number of open bug reports.

A CVE was also requested:

http://seclists.org/oss-sec/2011/q4/439
Comment 2 Vincent Danen 2011-11-30 20:54:29 UTC 
Created perl-Proc-ProcessTable tracking bugs for this issue

Affects: epel-all [bug 758868]
Affects: fedora-all [bug 758869]
Comment 3 Vincent Danen 2011-11-30 21:04:28 UTC 
This was assigned the name CVE-2011-4363:

http://seclists.org/oss-sec/2011/q4/440
Comment 4 Jan Lieskovsky 2012-10-08 09:01:03 UTC 
Upstream ticket:
  https://rt.cpan.org/Public/Bug/Display.html?id=72862

Other references:
  http://www.securityfocus.com/bid/50868
  http://www.osvdb.org/77428
  http://secunia.com/advisories/47015
Comment 5 Vincent Danen 2013-07-24 17:11:23 UTC 
This looks to be the fix:

https://github.com/jwbargsten/perl-proc-processtable/commit/89f27a6d47df79b8bdb93781ba3247d7a5123165

And is corrected in upstream version 0.48
Comment 6 Fedora Update System 2013-08-02 21:52:09 UTC 
perl-Proc-ProcessTable-0.48-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-08-02 22:02:17 UTC 
perl-Proc-ProcessTable-0.48-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.