Bug 753955 (CVE-2011-4114, CVE-2011-5060) - CVE-2011-4114 CVE-2011-5060 perl-PAR-Packer/perl-PAR: insecure temporary directory handling
Summary: CVE-2011-4114 CVE-2011-5060 perl-PAR-Packer/perl-PAR: insecure temporary dire...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4114, CVE-2011-5060
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20110718,reported=2...
Depends On: 753957 760132
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-14 22:54 UTC by Vincent Danen
Modified: 2019-06-08 18:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-08 17:48:15 UTC


Attachments (Terms of Use)
Fix for perl-PAR (2.60 KB, patch)
2011-12-01 14:52 UTC, Petr Pisar
no flags Details | Diff
Fix for perl-PAR-Packer ported to 1.010 version (2.93 KB, patch)
2011-12-06 14:05 UTC, Petr Pisar
no flags Details | Diff

Description Vincent Danen 2011-11-14 22:54:07 UTC
It was reported [1] that PAR::Packer's par_mktmpdir() function would create /tmp/par-[username] directories insecurely, which could allow a local attacker to make changes to the cache directory and possibly the PAR-packged program.  PAR::Packer does not verify that the user owns the directory, nor does it create it with secure permissions.

Upstream's response is to use per-user temporary directories, so there is currently no upstream patch.

[1] https://rt.cpan.org/Public/Bug/Display.html?id=69560

Comment 1 Vincent Danen 2011-11-14 22:55:44 UTC
Created perl-PAR-Packer tracking bugs for this issue

Affects: fedora-all [bug 753957]

Comment 2 Petr Pisar 2011-12-01 14:18:18 UTC
`PAR' (<http://search.cpan.org/~rschupp/PAR/>, packaged as perl-PAR in Fedora) author recognized this vulnerability in PAR too (this is related but different piece of code from PAR::Packer) and fixed it in version 1.003:

[Changes for 1.003 - Nov 28, 2011]
  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     (Note: this bug was originally reported against PAR::Packer, but
     it applies to PAR as well)
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER

Fixed perl-PAR version is available in F17 only at this moment.

Comment 3 Petr Pisar 2011-12-01 14:52:57 UTC
Created attachment 539232 [details]
Fix for perl-PAR

This is fix for this issue extracted from PAR upstream development tree (as can be seen in PAR-1.004).

Comment 4 Petr Pisar 2011-12-02 14:48:55 UTC
Upstream has released PAR-Packer-1.011 with respect to this vulnerability. It states in change log this version fixes this issue:

[Changes for 1.011 - Dec 1, 2011]
* Bug fixes, etc.

  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER

  - depend on PAR 1.004 (which contains the other half of the
    fix for CVE-2011-4114)

and that complete fix requires PAR-1.004 (advertised here in commet #2).

As you can see upstream does not check path components. Is this fix sufficient? In my opinion, it is. I think any code needs a safe entry point and assumptions parent directory is safe is one of this.

Comment 6 Jan Lieskovsky 2011-12-05 13:59:21 UTC
Created perl-PAR tracking bugs for this issue

Affects: fedora-all [bug 760132]

Comment 8 Petr Pisar 2011-12-06 14:05:44 UTC
Created attachment 541406 [details]
Fix for perl-PAR-Packer ported to 1.010 version

Comment 9 Petr Pisar 2011-12-06 14:23:39 UTC
How to test:

Create /tmp/par-$(USER) directory with 0777 mode (or owned by different user, or create an other user's symlink). Create a PAR archive from a perl script (pp --par SCRIPT).

Test perl-PAR by running `perl -MPAR=./a.par SCRIPT'. Test perl-PAR-Packer by running `parl ./a.par'.

For unknown reason, you might need perl-PAR-Packer to get running SCRIPT from ./a.par by -MPAR=.

For unknown reason, old parl might not work because of perl version mismatch. (This becomes fixed after rebuilding old perl-PAR-Packer against current perl.)

Comment 10 Fedora Update System 2011-12-21 16:56:51 UTC
perl-PAR-1.002-4.fc15, perl-PAR-Packer-1.008-4.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2011-12-21 16:58:17 UTC
perl-PAR-1.002-5.fc16, perl-PAR-Packer-1.010-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Vincent Danen 2012-01-13 20:21:21 UTC
CVE-2011-4114 is specific to PAR::Packer and CVE-2011-5060 was assigned specifically to PAR.


Note You need to log in before you can comment on or make changes to this bug.