Bug#650500: unsafe use of /tmp
Moritz Mühlenhoff
jmm at inutil.org
Wed Nov 30 17:46:33 UTC 2011
On Wed, Nov 30, 2011 at 10:36:03AM +0100, Ansgar Burchardt wrote:
> Package: libproc-processtable-perl
> Version: 0.45-1
> Severity: important
> Tags: security
>
> Proc::ProcessTable can cache TTY information (not enabled by default).
> For this it uses the file /tmp/TTYDEVS.
>
> If caching is enabled, there is a race condition that allows to
> overwrite arbitrary files in ProcessTable.pm:
>
> 102 if( -r $TTYDEVSFILE )
> 103 {
> 104 $_ = Storable::retrieve($TTYDEVSFILE);
> [...]
> 107 else
> 108 {
> [...]
> 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
>
> If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
> link points to is overwritten. Alternatively wrong information can be
> provided.
>
> The relevant code path can be reached with
>
> perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
Dear Debian Perl Group,
this doesn't warrant a DSA; but can you fix this through a point update
once an upstream fix is available?
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list