Bug#650706: libpar-packer-perl: PAR packed files are extracted to unsafe and predictable temporary directories
Salvatore Bonaccorso
carnil at debian.org
Fri Dec 2 06:33:16 UTC 2011
Package: libpar-packer-perl
Version: 1.010-1
Severity: important
Tags: security
Hi
Changelog for 1.011 contains:
- RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
and predictable temporary directories
- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
- if it already exists, make sure that (and bail out if not)
- it's not a symlink
- it's mode 0700
- it's owned by USER
- depend on PAR 1.004 (which contains the other half of the
fix for CVE-2011-4114)
- bump Perl version requirement to 5.8.1 (Schwern: The End Of 5.6 Is Nigh!)
- explicitly mark Perl 5.10.0 as an unsupported version
libpar-packer-perl before 1.011 had the issue that PAR packed files
are extracted to unsafe and predictable temporary directories
according tho the bugtracker [1] and changelog.
[1] https://rt.cpan.org/Public/Bug/Display.html?id=69560
This is CVE-2011-4114.
Regards
Salvatore
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
More information about the pkg-perl-maintainers
mailing list