Bug#650500: unsafe use of /tmp
Moritz Mühlenhoff
jmm at inutil.org
Wed Nov 30 20:52:55 UTC 2011
On Wed, Nov 30, 2011 at 06:46:33PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 30, 2011 at 10:36:03AM +0100, Ansgar Burchardt wrote:
> > Package: libproc-processtable-perl
> > Version: 0.45-1
> > Severity: important
> > Tags: security
> >
> > Proc::ProcessTable can cache TTY information (not enabled by default).
> > For this it uses the file /tmp/TTYDEVS.
> >
> > If caching is enabled, there is a race condition that allows to
> > overwrite arbitrary files in ProcessTable.pm:
> >
> > 102 if( -r $TTYDEVSFILE )
> > 103 {
> > 104 $_ = Storable::retrieve($TTYDEVSFILE);
> > [...]
> > 107 else
> > 108 {
> > [...]
> > 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
> >
> > If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
> > link points to is overwritten. Alternatively wrong information can be
> > provided.
> >
> > The relevant code path can be reached with
> >
> > perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
>
> Dear Debian Perl Group,
> this doesn't warrant a DSA; but can you fix this through a point update
> once an upstream fix is available?
This has been assigned CVE-2011-4363.
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list