Bug 178989 - CAN-2005-0077 perl-DBI insecure temporary file usage
CAN-2005-0077 perl-DBI insecure temporary file usage
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: perl-DBI (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Fedora Legacy Bugs
impact=low, LEGACY, rh73, rh90, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-25 21:52 EST by David Eisenstein
Modified: 2006-04-24 13:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-01 20:15:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Eisenstein 2006-01-25 21:52:12 EST
+++ This bug was initially created as a clone of Bug #145577 +++

Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a tmporary file in an insecure manner.  This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the program.

Patch attached that will remove the use of this pid file.

-- Additional comment from bressers@redhat.com on 2005-01-19 16:14 EST --
Created an attachment (id=109991)  (Attachment 109991 [details])
Proposed patch for this issue.

<<snip>>
Comment 1 David Eisenstein 2006-01-25 21:59:54 EST
On 2005-02-01, Red Hat issued RHSA-2005-069 for this issue:
   http://rhn.redhat.com/errata/RHSA-2005-069.html

On 2005-02-15, Red Hat issued RHSA-2005-072 for this issue:
   http://rhn.redhat.com/errata/RHSA-2005-072.html
Comment 2 Marc Deslauriers 2006-02-18 20:30:32 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

861e7b17a5c9f830fb6444ffc061bc8b34caacd8  7.3/perl-DBI-1.21-1.1.legacy.i386.rpm
4bc8000341291476c209653ee8f51125b2074d72  7.3/perl-DBI-1.21-1.1.legacy.src.rpm
0a456f49dbf0a48fcb8c11584067fa9e04a7f655  9/perl-DBI-1.32-5.1.legacy.i386.rpm
6de844ee989ff0ba939eb21137b1d912da16c43b  9/perl-DBI-1.32-5.1.legacy.src.rpm
ba1769d36dbe33895455a03381afbd1cb1631f89  1/perl-DBI-1.37-1.1.legacy.i386.rpm
4ee3113def0de25f700a6b39c9f1069afe8bd7c5  1/perl-DBI-1.37-1.1.legacy.src.rpm
3b5267c54a9e08192fdabcf5b018c697b3a2f641  2/perl-DBI-1.40-4.1.legacy.i386.rpm
cb4ad3208bbf3317278ca16025a59465c939fb44  2/perl-DBI-1.40-4.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/perl-DBI-1.21-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/perl-DBI-1.32-5.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/perl-DBI-1.37-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/perl-DBI-1.40-4.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD98vpLMAs/0C4zNoRAnuHAJ0fuQxXLbwqYyPWSpWUeWGMD3EiMwCgoLp1
b6P2oX0H+8g6+kXubw+qa5s=
=tKno
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2006-02-19 03:22:50 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare-.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL

+PUBLISH RHL73, RHL9, FC1, FC2

4bc8000341291476c209653ee8f51125b2074d72  perl-DBI-1.21-1.1.legacy.src.rpm
6de844ee989ff0ba939eb21137b1d912da16c43b  perl-DBI-1.32-5.1.legacy.src.rpm
4ee3113def0de25f700a6b39c9f1069afe8bd7c5  perl-DBI-1.37-1.1.legacy.src.rpm
cb4ad3208bbf3317278ca16025a59465c939fb44  perl-DBI-1.40-4.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD+Cv3GHbTkzxSL7QRAi93AJ9gK8hE5NaLdgBAJfoH7BzR9rsHGwCfb8xV
N+66LZ58CyR7wc0s52JEtlE=
=S9+S
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2006-02-20 19:51:58 EST
Packages were pushed to updates-testing
Comment 5 Donald Maner 2006-02-23 23:33:47 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

fc1:
50a02fd2d68f47d35f76bc690281253bbdf9a486  perl-DBI-1.37-1.1.legacy.i386.rpm

fc2:
69a623c7db409341705bfc125b5fd6f0c056af7b  perl-DBI-1.40-4.1.legacy.i386.rpm

Packages installed fine.  Performed QA using ikonboard 3.1.1 forums.  MySQL
database on fc4 box.  Forum testing worked fine, was able to post, read and
search successfully.

+VERIFY fc1,fc2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD/o3/pxMPKJzn2lIRAsu6AJ0TvW0/I3Rd38O7OGf6ARs4gWfPfgCguzWT
OumdZ39XLxueEFhLSTAf9J4=
=QWnF
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2006-02-24 00:56:50 EST
Thanks!
Comment 7 Tres Seaver 2006-02-24 13:15:44 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages tested:

  3267a9d83ac3cadcfa650b1625cf5c458adb5540  perl-5.8.3-17.5.legacy.i386.rpm
  50a02fd2d68f47d35f76bc690281253bbdf9a486  perl-DBI-1.37-1.1.legacy.i386.rpm


  - SHA1 checksums and GPG signatures verified.

  - Both packages installed cleanly.

  - Webmin ran fine after the update (I was able to log in, browse MySQL
    databases, etc.)

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD/04p+gerLs4ltQ4RAn+vAKC3igyTHtvW8Wo35L6bAh1V1neKjgCgpJRF
Tx5iOTu8q8ic43G1Z466ZC0=
=1+Cq
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2006-02-25 02:56:54 EST
Thanks!
Comment 9 Pekka Savola 2006-02-28 09:42:29 EST
Timeout over.
Comment 10 Marc Deslauriers 2006-03-01 20:15:54 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.