[perl-PAR/f16] Fix CVE-2011-4114

Tue Dec 6 10:44:46 UTC 2011

commit b45cffe68b4e5e6f1920e5138b4c04c338b07210
Author: Petr Písař <ppisar at redhat.com>
Date:   Thu Dec 1 15:46:19 2011 +0100

    Fix CVE-2011-4114

 perl-PAR-1.002-CVE-2011-4114.patch |   89 ++++++++++++++++++++++++++++++++++++
 perl-PAR.spec                      |   10 ++++-
 2 files changed, 98 insertions(+), 1 deletions(-)
---

diff --git a/perl-PAR-1.002-CVE-2011-4114.patch b/perl-PAR-1.002-CVE-2011-4114.patch
new file mode 100644
index 0000000..4db8a94
--- /dev/null
+++ b/perl-PAR-1.002-CVE-2011-4114.patch
@@ -0,0 +1,89 @@
+Fix CVE-2011-4114
+
+From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines
+RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and
+predictable temporary directories
+- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+- if it already exists, check that (and bail out if not)
+  - it's not a symlink
+  - it's mode 0700
+  - it's owned by USER
+
+Petr Pisar: Message wording adjustment from r1316 is included too.
+
+Index: lib/PAR/SetupTemp.pm
+===================================================================
+--- lib/PAR/SetupTemp.pm	(revision 1304)
++++ lib/PAR/SetupTemp.pm	(revision 1305)
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+ 
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+ 
+ =head1 NAME
+@@ -42,8 +44,9 @@
+     }
+ 
+     my $stmpdir = _get_par_user_tempdir();
++    die "unable to create cache directory" unless $stmpdir;
++
+     require File::Spec;
+-    if (defined $stmpdir) { # it'd be quite bad if this was not the case
+       if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) {
+           my $ctx = _get_digester();
+ 
+@@ -71,8 +74,7 @@
+       }
+ 
+       $ENV{PAR_TEMP} = $stmpdir;
+-      mkdir $stmpdir, 0755;
+-    } # end if found a temp dir
++    mkdir $stmpdir, 0700;
+ 
+     $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,8 +100,25 @@
+     next unless defined $path and -d $path and -w $path;
+     $temp_path = File::Spec->catdir($path, "par-$username");
+     ($temp_path) = $temp_path =~ /^(.*)$/s;
+-    mkdir $temp_path, 0755;
++    unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++      warn "creation of private subdirectory $temp_path failed (errno=$!)"; 
++      return;
++    }
+ 
++    unless ($^O eq 'MSWin32') {
++        my @st;
++        unless (@st = lstat($temp_path)) {
++          warn "stat of private subdirectory $temp_path failed (errno=$!)";
++          return;
++        }
++        if (!S_ISDIR($st[2])
++            || $st[4] != $<
++            || ($st[2] & 0777) != 0700 ) {
++          warn "private subdirectory $temp_path is unsafe";
++          return;
++        }
++    }
++
+     last;
+   }
+   return $temp_path;
+
+
+Index: lib/PAR/SetupTemp.pm
+===================================================================
+--- lib/PAR/SetupTemp.pm	(revision 1315)
++++ lib/PAR/SetupTemp.pm	(revision 1316)
+@@ -114,7 +114,7 @@
+         if (!S_ISDIR($st[2])
+             || $st[4] != $<
+             || ($st[2] & 0777) != 0700 ) {
+-          warn "private subdirectory $temp_path is unsafe";
++          warn "private subdirectory $temp_path is unsafe (please remove it and retry your operation)";
+           return;
+         }
+     }
diff --git a/perl-PAR.spec b/perl-PAR.spec
index 1c98bed..23a6f2a 100644
--- a/perl-PAR.spec
+++ b/perl-PAR.spec
@@ -1,11 +1,13 @@
 Name:           perl-PAR
 Version:        1.002
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Perl Archive Toolkit
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/PAR/
 Source0:        http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #760132, included in upstream 1.004.
+Patch0:         perl-PAR-1.002-CVE-2011-4114.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 BuildRequires:  perl(Archive::Zip) >= 1
@@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded.
 
 %prep
 %setup -q -n PAR-%{version}
+%patch0 -p0
 
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \;
 %{_fixperms} $RPM_BUILD_ROOT/*
 
 %check
+export TEMP="$(mktemp -d)"
 make test
+rm -rf "$TEMP"
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man3/*
 
 %changelog
+* Thu Dec 01 2011 Petr Pisar <ppisar at redhat.com> - 1.002-5
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132)
+
 * Tue Jul 19 2011 Petr Sabata <contyk at redhat.com> - 1.002-4
 - Perl mass rebuild
 

