It was reported [1] that PAR::Packer's par_mktmpdir() function would create /tmp/par-[username] directories insecurely, which could allow a local attacker to make changes to the cache directory and possibly the PAR-packged program. PAR::Packer does not verify that the user owns the directory, nor does it create it with secure permissions. Upstream's response is to use per-user temporary directories, so there is currently no upstream patch. [1] https://rt.cpan.org/Public/Bug/Display.html?id=69560
Created perl-PAR-Packer tracking bugs for this issue Affects: fedora-all [bug 753957]
`PAR' (<http://search.cpan.org/~rschupp/PAR/>, packaged as perl-PAR in Fedora) author recognized this vulnerability in PAR too (this is related but different piece of code from PAR::Packer) and fixed it in version 1.003: [Changes for 1.003 - Nov 28, 2011] - RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories (Note: this bug was originally reported against PAR::Packer, but it applies to PAR as well) - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 - if it already exists, make sure that (and bail out if not) - it's not a symlink - it's mode 0700 - it's owned by USER Fixed perl-PAR version is available in F17 only at this moment.
Created attachment 539232 [details] Fix for perl-PAR This is fix for this issue extracted from PAR upstream development tree (as can be seen in PAR-1.004).
Upstream has released PAR-Packer-1.011 with respect to this vulnerability. It states in change log this version fixes this issue: [Changes for 1.011 - Dec 1, 2011] * Bug fixes, etc. - RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 - if it already exists, make sure that (and bail out if not) - it's not a symlink - it's mode 0700 - it's owned by USER - depend on PAR 1.004 (which contains the other half of the fix for CVE-2011-4114) and that complete fix requires PAR-1.004 (advertised here in commet #2). As you can see upstream does not check path components. Is this fix sufficient? In my opinion, it is. I think any code needs a safe entry point and assumptions parent directory is safe is one of this.
Created perl-PAR tracking bugs for this issue Affects: fedora-all [bug 760132]
Created attachment 541406 [details] Fix for perl-PAR-Packer ported to 1.010 version
How to test: Create /tmp/par-$(USER) directory with 0777 mode (or owned by different user, or create an other user's symlink). Create a PAR archive from a perl script (pp --par SCRIPT). Test perl-PAR by running `perl -MPAR=./a.par SCRIPT'. Test perl-PAR-Packer by running `parl ./a.par'. For unknown reason, you might need perl-PAR-Packer to get running SCRIPT from ./a.par by -MPAR=. For unknown reason, old parl might not work because of perl version mismatch. (This becomes fixed after rebuilding old perl-PAR-Packer against current perl.)
perl-PAR-1.002-4.fc15, perl-PAR-Packer-1.008-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
perl-PAR-1.002-5.fc16, perl-PAR-Packer-1.010-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2011-4114 is specific to PAR::Packer and CVE-2011-5060 was assigned specifically to PAR.