[perl-PAR-Packer/f16] Fix CVE-2011-4114
Petr Pisar
ppisar at fedoraproject.org
Tue Dec 6 14:24:18 UTC 2011
commit caf5df098adb318c914803819bd550b6c2c17ab6
Author: Petr Písař <ppisar at redhat.com>
Date: Tue Dec 6 15:11:15 2011 +0100
Fix CVE-2011-4114
perl-PAR-Packer-1.010-CVE-2011-4114.patch | 84 +++++++++++++++++++++++++++++
perl-PAR-Packer.spec | 8 +++-
2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-Packer-1.010-CVE-2011-4114.patch b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
new file mode 100644
index 0000000..b951322
--- /dev/null
+++ b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
@@ -0,0 +1,84 @@
+From 9aa3d40e0b24bbd3dfa5d51198ffc289fa901c9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Tue, 6 Dec 2011 14:22:04 +0100
+Subject: [PATCH] Fix CVE-2011-4114 ported for 1.010.
+
+From: r1296 | rschupp | 2011-11-14 21:01:18 +0100 (Po, 14 lis 2011) | 11 lines
+
+myldr/mktmpdir.c:
+- (par_mktmpdir) CVE-2011-4114:
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, check that (and bail out if not)
+ - it's not a symlink
+ - it's mode 0700
+ - it's owned by USER
+
+NOTE: PAR contains a "copy" of par_mktmpdir (in Perl); this
+must be fixed as well and we must require the fixed version.
+
+Adjusted error message from r1313 is included.
+---
+ myldr/mktmpdir.c | 38 +++++++++++++++++++++++++++++++++++---
+ 1 files changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/myldr/mktmpdir.c b/myldr/mktmpdir.c
+index 6699831..2293268 100644
+--- a/myldr/mktmpdir.c
++++ b/myldr/mktmpdir.c
+@@ -161,10 +161,42 @@ char *par_mktmpdir ( char **argv ) {
+ stmpdir2 is the top $TEMP/par-$USER, needed to build stmpdir. We
+ need 2 buffers because snprintf() can't write to a buffer it's
+ reading from. */
+- stmpdir = malloc( stmp_len );
+ stmpdir2 = malloc( stmp_len );
+ sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username);
+- my_mkdir(stmpdir2, 0755);
++#ifdef WIN32
++ _mkdir(stmpdir2); /* FIXME bail if error (other than EEXIST) */
++#else
++ {
++ struct stat st;
++
++ if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) {
++ fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n",
++ argv[0], stmpdir2, errno);
++ return NULL;
++ }
++
++ /* now check that:
++ * - stmpdir2 is a directory (and not a symlink)
++ * - stmpdir2 is owned by the user
++ * - stmpdir2 has mode 0700
++ */
++ if (lstat(stmpdir2, &st) == -1) {
++ fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n",
++ argv[0], stmpdir2, errno);
++ return NULL;
++ }
++
++ if (!S_ISDIR(st.st_mode)
++ || st.st_uid != getuid()
++ || (st.st_mode & 0777) != 0700 ) {
++ fprintf(stderr, "%s: private subdirectory %s is unsafe (please remove it and retry your operation)\n",
++ argv[0], stmpdir2);
++ return NULL;
++ }
++ }
++#endif
++
++ stmpdir = malloc( stmp_len );
+
+ /* Doesn't really work - XXX */
+ val = par_getenv( "PATH" );
+@@ -250,7 +282,7 @@ char *par_mktmpdir ( char **argv ) {
+ a prior invocation crashed leaving garbage in a temp directory that
+ might interfere. */
+
+- while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) {
++ while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) {
+ sprintf(
+ stmpdir,
+ "%s%stemp-%u-%u%s",
+--
+1.7.7.4
+
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index a3299c1..9d00be7 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,11 +1,13 @@
Name: perl-PAR-Packer
Version: 1.010
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: PAR Packager
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/PAR-Packer/
Source0: http://www.cpan.org/authors/id/R/RS/RSCHUPP/PAR-Packer-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #753957, included in upstream 1.011.
+Patch0: perl-PAR-Packer-1.010-CVE-2011-4114.patch
BuildRequires: perl(Archive::Zip) >= 1
BuildRequires: perl(Compress::Zlib) >= 1.3
BuildRequires: perl(ExtUtils::MakeMaker)
@@ -24,6 +26,7 @@ stand-alone executables, perl scripts and PAR files.
%prep
%setup -q -n PAR-Packer-%{version}
+%patch0 -p1
%build
# DEBUG variable needed to disable stripping binary
@@ -58,6 +61,9 @@ export PAR_GLOBAL_TEMP=/var/tmp
%{_mandir}/man3/*
%changelog
+* Tue Dec 06 2011 Petr Pisar <ppisar at redhat.com> - 1.010-3
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #753957)
+
* Tue Jul 19 2011 Petr Sabata <contyk at redhat.com> - 1.010-2
- Perl mass rebuild
More information about the perl-devel
mailing list