Bug#650707: libpar-perl: PAR packed files are extracted to unsafe and predictable temporary directories

[Salvatore Bonaccorso]

Package: libpar-perl
Version: 1.002-1
Severity: important
Tags: security

Hi

Changelog for new upstream release of libpar-perl contains:

[Changes for 1.004 - Nov 30, 2011]
  - back out r1241: it causes errors in PAR::Packer's test suite
  - change "unsafe directory" error message to match the wording 
    used by PAR::Packer
  - remove "debian" sub directory: it isn't released to CPAN and
    Debian will supply its own anyway
  - remove some cruft from MANIFEST.SKIP

[Changes for 1.003 - Nov 28, 2011]
  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     (Note: this bug was originally reported against PAR::Packer, but
     it applies to PAR as well)
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER
  - Fix a problem packing XML::LibXSLT on Windows (see the thread starting 
    with http://www.nntp.perl.org/group/perl.par/2011/02/msg4919.html)
  - Die (with a hopefully useful message) if any error is encountered 
    during an Archive::Zip extract operation

Version before 1.003 had the issue that PAR packed files are extracted
to unsafe and predictable temporary directories [1].

 [1] https://rt.cpan.org/Public/Bug/Display.html?id=69560

This is CVE-2011-4114.

Regards
Salvatore

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash