Bug 818386 (CVE-2012-2451)

Summary: CVE-2012-2451 perl-Config-IniFiles: insecure temporary file usage
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, perl-devel, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120502,reported=20120502,source=oss-security,cvss2=1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N,fedora-all/perl-Config-IniFiles=affected,epel-all/perl-Config-IniFiles=affected,rhn_satellite_5.4/perl-Config-IniFiles=wontfix,rhn_proxy_5.3/perl-Config-IniFiles=wontfix,cwe=CWE-377
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-29 05:36:42 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 818430, 818431    
Bug Blocks: 818429    
Attachments:
Description Flags
Patch extracted from upstream mercurial repository none

Description Vincent Danen 2012-05-02 18:40:41 EDT
perl-Config-IniFiles used a predicatable temporary file name (${filename}-new) which makes it prone to a symlink attack.  If a malicious user were to create a symlink pointing to another file writable by the user running an application that used perl-Config-IniFiles, they could overwrite the contents of that file.
Comment 1 Vincent Danen 2012-05-03 00:30:34 EDT
Created perl-Config-IniFiles tracking bugs for this issue

Affects: fedora-all [bug 818430]
Affects: epel-all [bug 818431]
Comment 2 Stefan Cornelius 2012-05-03 03:31:26 EDT
Created attachment 581791 [details]
Patch extracted from upstream mercurial repository

Adding this as a quick reference (the bitbucket.org interface does not display it correctly for me).
Comment 3 Tomas Hoger 2012-05-03 03:57:57 EDT
Adding forgotten references:

https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671255
http://thread.gmane.org/gmane.comp.security.oss.general/7576

Calling this security sounds bit of a stretch to me.  A temporary file does have predictable name and is created in a way that would allow symlink attack, however, it is created in the same directory as the resulting .ini file should be in (or the existing file to be overwritten is located in).  Hence it is rather unlikely the module is used in a way that would expose this problem, and using config files located in a directory writable to other untrusted users is likely to have other issues.
Comment 4 Stefan Cornelius 2012-05-03 05:07:50 EDT
rhn_proxy_5.3 and rhn_satellite_5.3 (currently can't check 5.4) contain a vulnerable perl-Config-IniFiles package, but only use it to write into directories that are presumably protected. On top of that, there should be no untrusted users on rhn_satellite anyway, so this is not an issue for those products.
Comment 5 Vincent Danen 2012-05-28 12:59:28 EDT
perl-Config-IniFiles-2.72-1.fc16 has been submitted as an update for Fedora 16.

perl-Config-IniFiles-2.72-1.el5 has been submitted as an update for Fedora EPEL 5.

perl-Config-IniFiles-2.72-1.fc17 has been submitted as an update for Fedora 17.

perl-Config-IniFiles-2.72-1.el6 has been submitted as an update for Fedora EPEL 6.

perl-Config-IniFiles-2.72-1.fc15 has been submitted as an update for Fedora 15.
Comment 6 Vincent Danen 2012-05-28 13:00:00 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates for Red Hat Network Proxy or Red Hat Network Satellite. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.