[perl-PAR-Packer/f16] Fix CVE-2011-4114

Petr Pisar ppisar at fedoraproject.org
Tue Dec 6 14:24:18 UTC 2011


commit caf5df098adb318c914803819bd550b6c2c17ab6
Author: Petr Písař <ppisar at redhat.com>
Date:   Tue Dec 6 15:11:15 2011 +0100

    Fix CVE-2011-4114

 perl-PAR-Packer-1.010-CVE-2011-4114.patch |   84 +++++++++++++++++++++++++++++
 perl-PAR-Packer.spec                      |    8 +++-
 2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-Packer-1.010-CVE-2011-4114.patch b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
new file mode 100644
index 0000000..b951322
--- /dev/null
+++ b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
@@ -0,0 +1,84 @@
+From 9aa3d40e0b24bbd3dfa5d51198ffc289fa901c9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Tue, 6 Dec 2011 14:22:04 +0100
+Subject: [PATCH] Fix CVE-2011-4114 ported for 1.010.
+
+From: r1296 | rschupp | 2011-11-14 21:01:18 +0100 (Po, 14 lis 2011) | 11 lines
+
+myldr/mktmpdir.c:
+- (par_mktmpdir) CVE-2011-4114:
+  - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+  - if it already exists, check that (and bail out if not)
+    - it's not a symlink
+    - it's mode 0700
+    - it's owned by USER
+
+NOTE: PAR contains a "copy" of par_mktmpdir (in Perl); this
+must be fixed as well and we must require the fixed version.
+
+Adjusted error message from r1313 is included.
+---
+ myldr/mktmpdir.c |   38 +++++++++++++++++++++++++++++++++++---
+ 1 files changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/myldr/mktmpdir.c b/myldr/mktmpdir.c
+index 6699831..2293268 100644
+--- a/myldr/mktmpdir.c
++++ b/myldr/mktmpdir.c
+@@ -161,10 +161,42 @@ char *par_mktmpdir ( char **argv ) {
+        stmpdir2 is the top $TEMP/par-$USER, needed to build stmpdir.  We
+        need 2 buffers because snprintf() can't write to a buffer it's
+        reading from. */
+-    stmpdir = malloc( stmp_len );
+     stmpdir2 = malloc( stmp_len );
+     sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username);
+-    my_mkdir(stmpdir2, 0755);
++#ifdef WIN32
++    _mkdir(stmpdir2);         /* FIXME bail if error (other than EEXIST) */
++#else
++    {
++        struct stat st;
++
++        if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) {
++            fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n", 
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        /* now check that:
++         * - stmpdir2 is a directory (and not a symlink)
++         * - stmpdir2 is owned by the user
++         * - stmpdir2 has mode 0700
++         */
++        if (lstat(stmpdir2, &st) == -1) {
++            fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n",
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        if (!S_ISDIR(st.st_mode)
++            || st.st_uid != getuid()
++            || (st.st_mode & 0777) != 0700 ) {
++            fprintf(stderr, "%s: private subdirectory %s is unsafe (please remove it and retry your operation)\n",
++                    argv[0], stmpdir2);
++            return NULL;
++        }
++    }
++#endif
++
++    stmpdir = malloc( stmp_len );
+ 
+     /* Doesn't really work - XXX */
+     val = par_getenv( "PATH" );
+@@ -250,7 +282,7 @@ char *par_mktmpdir ( char **argv ) {
+            a prior invocation crashed leaving garbage in a temp directory that
+            might interfere. */
+ 
+-        while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) {
++        while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) {
+             sprintf(
+                 stmpdir,
+                 "%s%stemp-%u-%u%s",
+-- 
+1.7.7.4
+
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index a3299c1..9d00be7 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,11 +1,13 @@
 Name:           perl-PAR-Packer
 Version:        1.010
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        PAR Packager
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/PAR-Packer/
 Source0:        http://www.cpan.org/authors/id/R/RS/RSCHUPP/PAR-Packer-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #753957, included in upstream 1.011.
+Patch0:         perl-PAR-Packer-1.010-CVE-2011-4114.patch
 BuildRequires:  perl(Archive::Zip) >= 1
 BuildRequires:  perl(Compress::Zlib) >= 1.3
 BuildRequires:  perl(ExtUtils::MakeMaker)
@@ -24,6 +26,7 @@ stand-alone executables, perl scripts and PAR files.
 
 %prep
 %setup -q -n PAR-Packer-%{version}
+%patch0 -p1
 
 %build
 # DEBUG variable needed to disable stripping binary
@@ -58,6 +61,9 @@ export PAR_GLOBAL_TEMP=/var/tmp
 %{_mandir}/man3/*
 
 %changelog
+* Tue Dec 06 2011 Petr Pisar <ppisar at redhat.com> - 1.010-3
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #753957)
+
 * Tue Jul 19 2011 Petr Sabata <contyk at redhat.com> - 1.010-2
 - Perl mass rebuild
 



More information about the perl-devel mailing list