Bug 818386 (CVE-2012-2451)
| Summary: | CVE-2012-2451 perl-Config-IniFiles: insecure temporary file usage | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | jrusnack, perl-devel, tcallawa | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-05-29 09:36:42 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 818430, 818431 | ||||||
| Bug Blocks: | 818429 | ||||||
| Attachments: |
|
||||||
Created perl-Config-IniFiles tracking bugs for this issue Affects: fedora-all [bug 818430] Affects: epel-all [bug 818431] Created attachment 581791 [details]
Patch extracted from upstream mercurial repository
Adding this as a quick reference (the bitbucket.org interface does not display it correctly for me).
Adding forgotten references: https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671255 http://thread.gmane.org/gmane.comp.security.oss.general/7576 Calling this security sounds bit of a stretch to me. A temporary file does have predictable name and is created in a way that would allow symlink attack, however, it is created in the same directory as the resulting .ini file should be in (or the existing file to be overwritten is located in). Hence it is rather unlikely the module is used in a way that would expose this problem, and using config files located in a directory writable to other untrusted users is likely to have other issues. rhn_proxy_5.3 and rhn_satellite_5.3 (currently can't check 5.4) contain a vulnerable perl-Config-IniFiles package, but only use it to write into directories that are presumably protected. On top of that, there should be no untrusted users on rhn_satellite anyway, so this is not an issue for those products. perl-Config-IniFiles-2.72-1.fc16 has been submitted as an update for Fedora 16. perl-Config-IniFiles-2.72-1.el5 has been submitted as an update for Fedora EPEL 5. perl-Config-IniFiles-2.72-1.fc17 has been submitted as an update for Fedora 17. perl-Config-IniFiles-2.72-1.el6 has been submitted as an update for Fedora EPEL 6. perl-Config-IniFiles-2.72-1.fc15 has been submitted as an update for Fedora 15. Statement: The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates for Red Hat Network Proxy or Red Hat Network Satellite. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |
perl-Config-IniFiles used a predicatable temporary file name (${filename}-new) which makes it prone to a symlink attack. If a malicious user were to create a symlink pointing to another file writable by the user running an application that used perl-Config-IniFiles, they could overwrite the contents of that file.