Bug#650500: unsafe use of /tmp
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 1 06:28:56 UTC 2011
Hi Ansgar and Moritz
On Wed, Nov 30, 2011 at 06:46:33PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 30, 2011 at 10:36:03AM +0100, Ansgar Burchardt wrote:
> > Package: libproc-processtable-perl
> > Version: 0.45-1
> > Severity: important
> > Tags: security
> >
> > Proc::ProcessTable can cache TTY information (not enabled by default).
> > For this it uses the file /tmp/TTYDEVS.
> >
> > If caching is enabled, there is a race condition that allows to
> > overwrite arbitrary files in ProcessTable.pm:
> >
> > 102 if( -r $TTYDEVSFILE )
> > 103 {
> > 104 $_ = Storable::retrieve($TTYDEVSFILE);
> > [...]
> > 107 else
> > 108 {
> > [...]
> > 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
> >
> > If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
> > link points to is overwritten. Alternatively wrong information can be
> > provided.
> >
> > The relevant code path can be reached with
> >
> > perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
>
> Dear Debian Perl Group,
> this doesn't warrant a DSA; but can you fix this through a point update
> once an upstream fix is available?
Thanks for the CVE request too. I have forwarded the report to
upstream. But the latest upstream release was back to 2008. And thus
it might be unlikely that there will be a fix for it (before the
rewrite, as far as I know Jens Rehsack is planning to do so).
We can try to coordinate with fedora/redhat [1].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4363
Regards
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111201/fc55a952/attachment.pgp>
More information about the pkg-perl-maintainers
mailing list