Bug 818386 - (CVE-2012-2451) CVE-2012-2451 perl-Config-IniFiles: insecure temporary file usage
CVE-2012-2451 perl-Config-IniFiles: insecure temporary file usage
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120502,reported=2...
: Security
Depends On: 818430 818431
Blocks: 818429
  Show dependency treegraph
 
Reported: 2012-05-02 18:40 EDT by Vincent Danen
Modified: 2015-07-31 02:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-29 05:36:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch extracted from upstream mercurial repository (2.06 KB, patch)
2012-05-03 03:31 EDT, Stefan Cornelius
no flags Details | Diff

  None (edit)
Description Vincent Danen 2012-05-02 18:40:41 EDT
perl-Config-IniFiles used a predicatable temporary file name (${filename}-new) which makes it prone to a symlink attack.  If a malicious user were to create a symlink pointing to another file writable by the user running an application that used perl-Config-IniFiles, they could overwrite the contents of that file.
Comment 1 Vincent Danen 2012-05-03 00:30:34 EDT
Created perl-Config-IniFiles tracking bugs for this issue

Affects: fedora-all [bug 818430]
Affects: epel-all [bug 818431]
Comment 2 Stefan Cornelius 2012-05-03 03:31:26 EDT
Created attachment 581791 [details]
Patch extracted from upstream mercurial repository

Adding this as a quick reference (the bitbucket.org interface does not display it correctly for me).
Comment 3 Tomas Hoger 2012-05-03 03:57:57 EDT
Adding forgotten references:

https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671255
http://thread.gmane.org/gmane.comp.security.oss.general/7576

Calling this security sounds bit of a stretch to me.  A temporary file does have predictable name and is created in a way that would allow symlink attack, however, it is created in the same directory as the resulting .ini file should be in (or the existing file to be overwritten is located in).  Hence it is rather unlikely the module is used in a way that would expose this problem, and using config files located in a directory writable to other untrusted users is likely to have other issues.
Comment 4 Stefan Cornelius 2012-05-03 05:07:50 EDT
rhn_proxy_5.3 and rhn_satellite_5.3 (currently can't check 5.4) contain a vulnerable perl-Config-IniFiles package, but only use it to write into directories that are presumably protected. On top of that, there should be no untrusted users on rhn_satellite anyway, so this is not an issue for those products.
Comment 5 Vincent Danen 2012-05-28 12:59:28 EDT
perl-Config-IniFiles-2.72-1.fc16 has been submitted as an update for Fedora 16.

perl-Config-IniFiles-2.72-1.el5 has been submitted as an update for Fedora EPEL 5.

perl-Config-IniFiles-2.72-1.fc17 has been submitted as an update for Fedora 17.

perl-Config-IniFiles-2.72-1.el6 has been submitted as an update for Fedora EPEL 6.

perl-Config-IniFiles-2.72-1.fc15 has been submitted as an update for Fedora 15.
Comment 6 Vincent Danen 2012-05-28 13:00:00 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates for Red Hat Network Proxy or Red Hat Network Satellite. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.