Bug 818386 (CVE-2012-2451) - CVE-2012-2451 perl-Config-IniFiles: insecure temporary file usage
Summary: CVE-2012-2451 perl-Config-IniFiles: insecure temporary file usage
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2451
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 818430 818431
Blocks: 818429
TreeView+ depends on / blocked
 
Reported: 2012-05-02 22:40 UTC by Vincent Danen
Modified: 2019-09-29 12:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-29 09:36:42 UTC


Attachments (Terms of Use)
Patch extracted from upstream mercurial repository (2.06 KB, patch)
2012-05-03 07:31 UTC, Stefan Cornelius
no flags Details | Diff

Description Vincent Danen 2012-05-02 22:40:41 UTC
perl-Config-IniFiles used a predicatable temporary file name (${filename}-new) which makes it prone to a symlink attack.  If a malicious user were to create a symlink pointing to another file writable by the user running an application that used perl-Config-IniFiles, they could overwrite the contents of that file.

Comment 1 Vincent Danen 2012-05-03 04:30:34 UTC
Created perl-Config-IniFiles tracking bugs for this issue

Affects: fedora-all [bug 818430]
Affects: epel-all [bug 818431]

Comment 2 Stefan Cornelius 2012-05-03 07:31:26 UTC
Created attachment 581791 [details]
Patch extracted from upstream mercurial repository

Adding this as a quick reference (the bitbucket.org interface does not display it correctly for me).

Comment 3 Tomas Hoger 2012-05-03 07:57:57 UTC
Adding forgotten references:

https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671255
http://thread.gmane.org/gmane.comp.security.oss.general/7576

Calling this security sounds bit of a stretch to me.  A temporary file does have predictable name and is created in a way that would allow symlink attack, however, it is created in the same directory as the resulting .ini file should be in (or the existing file to be overwritten is located in).  Hence it is rather unlikely the module is used in a way that would expose this problem, and using config files located in a directory writable to other untrusted users is likely to have other issues.

Comment 4 Stefan Cornelius 2012-05-03 09:07:50 UTC
rhn_proxy_5.3 and rhn_satellite_5.3 (currently can't check 5.4) contain a vulnerable perl-Config-IniFiles package, but only use it to write into directories that are presumably protected. On top of that, there should be no untrusted users on rhn_satellite anyway, so this is not an issue for those products.

Comment 5 Vincent Danen 2012-05-28 16:59:28 UTC
perl-Config-IniFiles-2.72-1.fc16 has been submitted as an update for Fedora 16.

perl-Config-IniFiles-2.72-1.el5 has been submitted as an update for Fedora EPEL 5.

perl-Config-IniFiles-2.72-1.fc17 has been submitted as an update for Fedora 17.

perl-Config-IniFiles-2.72-1.el6 has been submitted as an update for Fedora EPEL 6.

perl-Config-IniFiles-2.72-1.fc15 has been submitted as an update for Fedora 15.

Comment 6 Vincent Danen 2012-05-28 17:00:00 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates for Red Hat Network Proxy or Red Hat Network Satellite. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.