Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>: Bug#650500; Package libproc-processtable-perl.
(Wed, 30 Nov 2011 09:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ansgar Burchardt <ansgar@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 30 Nov 2011 09:39:07 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unsafe use of /tmp
Date: Wed, 30 Nov 2011 10:36:03 +0100
Package: libproc-processtable-perl
Version: 0.45-1
Severity: important
Tags: security
Proc::ProcessTable can cache TTY information (not enabled by default).
For this it uses the file /tmp/TTYDEVS.
If caching is enabled, there is a race condition that allows to
overwrite arbitrary files in ProcessTable.pm:
102 if( -r $TTYDEVSFILE )
103 {
104 $_ = Storable::retrieve($TTYDEVSFILE);
[...]
107 else
108 {
[...]
112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
link points to is overwritten. Alternatively wrong information can be
provided.
The relevant code path can be reached with
perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
Ansgar
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>: Bug#650500; Package libproc-processtable-perl.
(Wed, 30 Nov 2011 17:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 30 Nov 2011 17:48:03 GMT) (full text, mbox, link).
To: Ansgar Burchardt <ansgar@debian.org>, 650500@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#650500: unsafe use of /tmp
Date: Wed, 30 Nov 2011 18:46:33 +0100
On Wed, Nov 30, 2011 at 10:36:03AM +0100, Ansgar Burchardt wrote:
> Package: libproc-processtable-perl
> Version: 0.45-1
> Severity: important
> Tags: security
>
> Proc::ProcessTable can cache TTY information (not enabled by default).
> For this it uses the file /tmp/TTYDEVS.
>
> If caching is enabled, there is a race condition that allows to
> overwrite arbitrary files in ProcessTable.pm:
>
> 102 if( -r $TTYDEVSFILE )
> 103 {
> 104 $_ = Storable::retrieve($TTYDEVSFILE);
> [...]
> 107 else
> 108 {
> [...]
> 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
>
> If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
> link points to is overwritten. Alternatively wrong information can be
> provided.
>
> The relevant code path can be reached with
>
> perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
Dear Debian Perl Group,
this doesn't warrant a DSA; but can you fix this through a point update
once an upstream fix is available?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>: Bug#650500; Package libproc-processtable-perl.
(Wed, 30 Nov 2011 20:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 30 Nov 2011 20:54:03 GMT) (full text, mbox, link).
On Wed, Nov 30, 2011 at 06:46:33PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 30, 2011 at 10:36:03AM +0100, Ansgar Burchardt wrote:
> > Package: libproc-processtable-perl
> > Version: 0.45-1
> > Severity: important
> > Tags: security
> >
> > Proc::ProcessTable can cache TTY information (not enabled by default).
> > For this it uses the file /tmp/TTYDEVS.
> >
> > If caching is enabled, there is a race condition that allows to
> > overwrite arbitrary files in ProcessTable.pm:
> >
> > 102 if( -r $TTYDEVSFILE )
> > 103 {
> > 104 $_ = Storable::retrieve($TTYDEVSFILE);
> > [...]
> > 107 else
> > 108 {
> > [...]
> > 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
> >
> > If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
> > link points to is overwritten. Alternatively wrong information can be
> > provided.
> >
> > The relevant code path can be reached with
> >
> > perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
>
> Dear Debian Perl Group,
> this doesn't warrant a DSA; but can you fix this through a point update
> once an upstream fix is available?
This has been assigned CVE-2011-4363.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>: Bug#650500; Package libproc-processtable-perl.
(Thu, 01 Dec 2011 06:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Thu, 01 Dec 2011 06:33:03 GMT) (full text, mbox, link).
Hi Ansgar and Moritz
On Wed, Nov 30, 2011 at 06:46:33PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 30, 2011 at 10:36:03AM +0100, Ansgar Burchardt wrote:
> > Package: libproc-processtable-perl
> > Version: 0.45-1
> > Severity: important
> > Tags: security
> >
> > Proc::ProcessTable can cache TTY information (not enabled by default).
> > For this it uses the file /tmp/TTYDEVS.
> >
> > If caching is enabled, there is a race condition that allows to
> > overwrite arbitrary files in ProcessTable.pm:
> >
> > 102 if( -r $TTYDEVSFILE )
> > 103 {
> > 104 $_ = Storable::retrieve($TTYDEVSFILE);
> > [...]
> > 107 else
> > 108 {
> > [...]
> > 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
> >
> > If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
> > link points to is overwritten. Alternatively wrong information can be
> > provided.
> >
> > The relevant code path can be reached with
> >
> > perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
>
> Dear Debian Perl Group,
> this doesn't warrant a DSA; but can you fix this through a point update
> once an upstream fix is available?
Thanks for the CVE request too. I have forwarded the report to
upstream. But the latest upstream release was back to 2008. And thus
it might be unlikely that there will be a fix for it (before the
rewrite, as far as I know Jens Rehsack is planning to do so).
We can try to coordinate with fedora/redhat [1].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4363
Regards
Salvatore
Changed Bug title to 'libproc-processtable-perl: [CVE-2011-4363] unsafe use of /tmp' from 'unsafe use of /tmp'
Request was from aburchar <ansgar@debian.org>
to control@bugs.debian.org.
(Tue, 20 Dec 2011 19:51:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>: Bug#650500; Package libproc-processtable-perl.
(Sun, 10 Feb 2013 14:30:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sun, 10 Feb 2013 14:30:10 GMT) (full text, mbox, link).
Message sent on
to Ansgar Burchardt <ansgar@debian.org>:
Bug#650500.
(Sun, 10 Feb 2013 14:30:12 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 10 Feb 2013 15:03:13 GMT) (full text, mbox, link).
Notification sent
to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Feb 2013 15:03:13 GMT) (full text, mbox, link).
Subject: Bug#650500: fixed in libproc-processtable-perl 0.45-6
Date: Sun, 10 Feb 2013 14:48:39 +0000
Source: libproc-processtable-perl
Source-Version: 0.45-6
We believe that the bug you reported is fixed in the latest version of
libproc-processtable-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 650500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libproc-processtable-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Feb 2013 15:01:30 +0100
Source: libproc-processtable-perl
Binary: libproc-processtable-perl
Architecture: source amd64
Version: 0.45-6
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libproc-processtable-perl - Perl library for accessing process table information
Closes: 650500
Changes:
libproc-processtable-perl (0.45-6) unstable; urgency=low
.
* Add CVE-2011-4363.patch patch
[SECURITY] CVE-2011-4363: Fix unsafe temporary file usage. (Closes: #650500)
Checksums-Sha1:
7faec375cd6481c19adecce29bbcf9c5bf468ccc 2230 libproc-processtable-perl_0.45-6.dsc
d4de5e85ca234ed3a294a853502cf74d9105d127 8620 libproc-processtable-perl_0.45-6.debian.tar.gz
2238bc73ae3fa8cd2d90eebad02ca20f3840a524 48866 libproc-processtable-perl_0.45-6_amd64.deb
Checksums-Sha256:
8ea19379534ec7404c9110dbb208961d4e1e2bf98dc71175dbad5a48dab33b5c 2230 libproc-processtable-perl_0.45-6.dsc
ad1a95b47b8080b227377de861432c32d49fd14909dbaa18a8226344ec7d6350 8620 libproc-processtable-perl_0.45-6.debian.tar.gz
2e2499c179e7116f1ba8017251a1f8819b391a921cb3c0b633916ccde7218f5f 48866 libproc-processtable-perl_0.45-6_amd64.deb
Files:
fe0aefd22c971b79c21f4354eef66976 2230 perl optional libproc-processtable-perl_0.45-6.dsc
a4a2d435652f48b100a9b34133118ce3 8620 perl optional libproc-processtable-perl_0.45-6.debian.tar.gz
f213b7dcb1ee488a3596ea7c040a5cee 48866 perl optional libproc-processtable-perl_0.45-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRF6yEAAoJEHidbwV/2GP+w9oP/iW22tOYsIcKbUoJt3fkS6f5
22BGecOL/o7nLApIhMv6of4RSZqvUs9NgvJqdSCnkqjNMKBd1zUklBt8xuSwOQKD
grFjynUwlU4qAic8t1KvKWx0hGe57mpjn7vYX7FJON63s5S5NM17MaG8yy4sNXyb
TB6+7gBK7zuoWNChie8zjrze4Cr/wefyOej6fI7bT/waIp2GqjIfZwWx02MwXgUN
Yw6SYgiWynj2161+4q6R6YfvwrH5DNA/1rBY6Lip7pY0RBgaiIOdnrzQYvm4e+3f
8COMsA0stXjK5xJbIzCuC37zllH/uMwcQYL4q2UipmkG49i4KVmSOBzi5CQpfnYy
bTL8Pd3bhl0y00o6dyM84wuwG17j+1Rc1GfAaojsZsqxLxdFuiUEHYcHIHj02AZZ
1zr0uwh4hZck4O5ZLCybr3GniOd5G2VkUhSQf71uCwje+7OoDIkBSPtPP0gLW9oW
Pjd0aT+YEOPAKLHO6ZaBh/LkQ0Kq+GdSOiLUyyWm/PUyUSXq8iRnR79VwOW2oNsn
0gJ/G7Ej6Knm7uTn/C7C3W25bSyNSyF4O2POF/b84uAq2fTjU92RoBlOfXw0+P4P
mByPa30zCBsdTBq6KAh6xhRNXyA44syHYaMSEmrbIBW9Rk7E8KQOGeXhRfodYzZ3
GIaSRiT3P7YZ9VmrxrQe
=vjgH
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 10 Feb 2013 17:21:13 GMT) (full text, mbox, link).
Notification sent
to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Feb 2013 17:21:13 GMT) (full text, mbox, link).
Subject: Bug#650500: fixed in libproc-processtable-perl 0.45-1+squeeze1
Date: Sun, 10 Feb 2013 17:17:04 +0000
Source: libproc-processtable-perl
Source-Version: 0.45-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
libproc-processtable-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 650500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libproc-processtable-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Feb 2013 16:16:41 +0100
Source: libproc-processtable-perl
Binary: libproc-processtable-perl libproc-process-perl
Architecture: source amd64 all
Version: 0.45-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libproc-process-perl - Dummy package for libproc-processtable-perl rename
libproc-processtable-perl - Perl library for accessing process table information
Closes: 650500
Changes:
libproc-processtable-perl (0.45-1+squeeze1) stable; urgency=low
.
* Team upload.
* [SECURITY] CVE-2011-4363: Fix unsafe temporary file usage (Closes: #650500)
Checksums-Sha1:
4e18641f46d616d5457b2f12ccf42eed3c2c86ce 2183 libproc-processtable-perl_0.45-1+squeeze1.dsc
3c409fe6be688de7195135f7e33e38c9a880030d 5680 libproc-processtable-perl_0.45-1+squeeze1.diff.gz
9912e7115d1b40ec3315a4459abf1412dd5eba02 49400 libproc-processtable-perl_0.45-1+squeeze1_amd64.deb
af315467053b405e10629cf65b6f3cded4babac6 11966 libproc-process-perl_0.45-1+squeeze1_all.deb
Checksums-Sha256:
3bfe1b20ecfc30480d65ceb90d553681b30d92c4b8d28a8d3855b315d30b1334 2183 libproc-processtable-perl_0.45-1+squeeze1.dsc
7a3507ac3a11601b554a5797e0b7d104bfef26696b23c6cdde95c140ddfde07c 5680 libproc-processtable-perl_0.45-1+squeeze1.diff.gz
56460e24a9b951b590261df95d2ec80979a06d45f3089995c6ee31294703c56a 49400 libproc-processtable-perl_0.45-1+squeeze1_amd64.deb
d578af11e9829ed39da2a65430570c8e38a669119442e8f6848ad4bd6ba3a827 11966 libproc-process-perl_0.45-1+squeeze1_all.deb
Files:
7079b3a62b7edc5c0ac8afce6bd4dc48 2183 perl optional libproc-processtable-perl_0.45-1+squeeze1.dsc
f22cd0cb7e1246a627ae17cc4404bba7 5680 perl optional libproc-processtable-perl_0.45-1+squeeze1.diff.gz
ca4432e9471c28bd0148b1d05ed33719 49400 perl optional libproc-processtable-perl_0.45-1+squeeze1_amd64.deb
da7f77a2c99d6e789807c424188e3cae 11966 perl optional libproc-process-perl_0.45-1+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRF8CVAAoJEHidbwV/2GP+xvcQALzdK5pzBKlhQ05f4TUgdP/2
jI+IFFiZX3pgmp5F4DZ9DpgkQ3rF80vdOscrirqt/RD4CWd+C0NTY6ZbXrqyf44m
verN4yMP0Ptav/2eNR/UyUgA/sgdvh881IQ50tIOkG2QaZmhsKwKx3FCwqyCuaFS
Ep9pbk93q3NSA32xHszwHs389adHjNbyc/nOM4NgobdLjqHwVMrTg15mMZR52Edo
ur4D8qhbloM5PF+0faXCFbHL16rv6dvpR3uQjA6Qau412xBjk7R3H8Hj9rOUwxRG
G7uLOisDobxeBDOaSVBxAcj66tQIiIU4UD7lY++/cpdr45GJfeiolN4Y5dN2btJk
TgHt85/KlO4QHg6/O5GRxWIh+x2zROZMEoSZ8FZKCaqVzJCyCINxvcEUFXF5S7Vz
y6zCsvPY4YuJrSfo3Q0atziYD2/IH1HK2UlV5Tnp49iMxgp5PlSDKzxP4AtMQHYH
hxcOCF3GeO5wrfP1YMY+hCHAkC5zo5/TwV5VGp4jUmJncQno76Lf/3rurTvWXpWQ
BC46CjYIMwP0PQ/sl1KpGVqCrqB+uCF+5/OwDyxLEVh9hHLSj3a2WwuL8gt302qg
VS4evBO9B111O1tasBD5fQ8A8aRshi2sxbTnNg6J0cy8fuelDpHw5YJS10A6cq1k
SulBP1cxgoVSjV/RQ+Si
=V4HG
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sun, 10 Feb 2013 17:24:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>: Bug#650500; Package libproc-processtable-perl.
(Sun, 10 Feb 2013 17:24:12 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.