Bug 753955 - (CVE-2011-4114, CVE-2011-5060) CVE-2011-4114 CVE-2011-5060 perl-PAR-Packer/perl-PAR: insecure temporary directory handling
CVE-2011-4114 CVE-2011-5060 perl-PAR-Packer/perl-PAR: insecure temporary dire...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20110718,reported=2...
: Security
Depends On: 753957 760132
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-14 17:54 EST by Vincent Danen
Modified: 2013-05-08 13:48 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-08 13:48:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for perl-PAR (2.60 KB, patch)
2011-12-01 09:52 EST, Petr Pisar
no flags Details | Diff
Fix for perl-PAR-Packer ported to 1.010 version (2.93 KB, patch)
2011-12-06 09:05 EST, Petr Pisar
no flags Details | Diff

  None (edit)
Description Vincent Danen 2011-11-14 17:54:07 EST
It was reported [1] that PAR::Packer's par_mktmpdir() function would create /tmp/par-[username] directories insecurely, which could allow a local attacker to make changes to the cache directory and possibly the PAR-packged program.  PAR::Packer does not verify that the user owns the directory, nor does it create it with secure permissions.

Upstream's response is to use per-user temporary directories, so there is currently no upstream patch.

[1] https://rt.cpan.org/Public/Bug/Display.html?id=69560
Comment 1 Vincent Danen 2011-11-14 17:55:44 EST
Created perl-PAR-Packer tracking bugs for this issue

Affects: fedora-all [bug 753957]
Comment 2 Petr Pisar 2011-12-01 09:18:18 EST
`PAR' (<http://search.cpan.org/~rschupp/PAR/>, packaged as perl-PAR in Fedora) author recognized this vulnerability in PAR too (this is related but different piece of code from PAR::Packer) and fixed it in version 1.003:

[Changes for 1.003 - Nov 28, 2011]
  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     (Note: this bug was originally reported against PAR::Packer, but
     it applies to PAR as well)
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER

Fixed perl-PAR version is available in F17 only at this moment.
Comment 3 Petr Pisar 2011-12-01 09:52:57 EST
Created attachment 539232 [details]
Fix for perl-PAR

This is fix for this issue extracted from PAR upstream development tree (as can be seen in PAR-1.004).
Comment 4 Petr Pisar 2011-12-02 09:48:55 EST
Upstream has released PAR-Packer-1.011 with respect to this vulnerability. It states in change log this version fixes this issue:

[Changes for 1.011 - Dec 1, 2011]
* Bug fixes, etc.

  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER

  - depend on PAR 1.004 (which contains the other half of the
    fix for CVE-2011-4114)

and that complete fix requires PAR-1.004 (advertised here in commet #2).

As you can see upstream does not check path components. Is this fix sufficient? In my opinion, it is. I think any code needs a safe entry point and assumptions parent directory is safe is one of this.
Comment 6 Jan Lieskovsky 2011-12-05 08:59:21 EST
Created perl-PAR tracking bugs for this issue

Affects: fedora-all [bug 760132]
Comment 8 Petr Pisar 2011-12-06 09:05:44 EST
Created attachment 541406 [details]
Fix for perl-PAR-Packer ported to 1.010 version
Comment 9 Petr Pisar 2011-12-06 09:23:39 EST
How to test:

Create /tmp/par-$(USER) directory with 0777 mode (or owned by different user, or create an other user's symlink). Create a PAR archive from a perl script (pp --par SCRIPT).

Test perl-PAR by running `perl -MPAR=./a.par SCRIPT'. Test perl-PAR-Packer by running `parl ./a.par'.

For unknown reason, you might need perl-PAR-Packer to get running SCRIPT from ./a.par by -MPAR=.

For unknown reason, old parl might not work because of perl version mismatch. (This becomes fixed after rebuilding old perl-PAR-Packer against current perl.)
Comment 10 Fedora Update System 2011-12-21 11:56:51 EST
perl-PAR-1.002-4.fc15, perl-PAR-Packer-1.008-4.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2011-12-21 11:58:17 EST
perl-PAR-1.002-5.fc16, perl-PAR-Packer-1.010-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Vincent Danen 2012-01-13 15:21:21 EST
CVE-2011-4114 is specific to PAR::Packer and CVE-2011-5060 was assigned specifically to PAR.

Note You need to log in before you can comment on or make changes to this bug.