Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=753955
--- Comment #4 from Petr Pisar <ppisar(a)redhat.com> 2011-12-02 09:48:55 EST ---
Upstream has released PAR-Packer-1.011 with respect to this vulnerability. It
states in change log this version fixes this issue:
[Changes for 1.011 - Dec 1, 2011]
* Bug fixes, etc.
- RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
and predictable temporary directories
- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
- if it already exists, make sure that (and bail out if not)
- it's not a symlink
- it's mode 0700
- it's owned by USER
- depend on PAR 1.004 (which contains the other half of the
fix for CVE-2011-4114)
and that complete fix requires PAR-1.004 (advertised here in commet #2).
As you can see upstream does not check path components. Is this fix sufficient?
In my opinion, it is. I think any code needs a safe entry point and assumptions
parent directory is safe is one of this.
--
Configure bugmail:
https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.