Debian Bug report logs - #650706
libpar-packer-perl: PAR packed files are extracted to unsafe and predictable temporary directories

version graph

Package: libpar-packer-perl; Maintainer for libpar-packer-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libpar-packer-perl is src:libpar-packer-perl.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 2 Dec 2011 06:36:01 UTC

Severity: important

Tags: security

Found in versions libpar-packer-perl/1.010-1, libpar-packer-perl/1.006-1

Fixed in versions libpar-packer-perl/1.012-1, libpar-packer-perl/1.006-1+squeeze1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#650706; Package libpar-packer-perl. (Fri, 02 Dec 2011 06:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 02 Dec 2011 06:36:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpar-packer-perl: PAR packed files are extracted to unsafe and predictable temporary directories
Date: Fri, 02 Dec 2011 07:33:16 +0100
Package: libpar-packer-perl
Version: 1.010-1
Severity: important
Tags: security

Hi

Changelog for 1.011 contains:

  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER

  - depend on PAR 1.004 (which contains the other half of the 
    fix for CVE-2011-4114)

  - bump Perl version requirement to 5.8.1 (Schwern: The End Of 5.6 Is Nigh!)
  - explicitly mark Perl 5.10.0 as an unsupported version

libpar-packer-perl before 1.011 had the issue that PAR packed files
are extracted to unsafe and predictable temporary directories
according tho the bugtracker [1] and changelog.

 [1] https://rt.cpan.org/Public/Bug/Display.html?id=69560

This is CVE-2011-4114.

Regards
Salvatore

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash




Bug Marked as found in versions libpar-packer-perl/1.006-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 03 Dec 2011 21:03:07 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 04 Dec 2011 07:21:07 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 04 Dec 2011 07:21:08 GMT) Full text and rfc822 format available.

Message #12 received at 650706-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 650706-close@bugs.debian.org
Subject: Bug#650706: fixed in libpar-packer-perl 1.012-1
Date: Sun, 04 Dec 2011 07:20:28 +0000
Source: libpar-packer-perl
Source-Version: 1.012-1

We believe that the bug you reported is fixed in the latest version of
libpar-packer-perl, which is due to be installed in the Debian FTP archive:

libpar-packer-perl_1.012-1.debian.tar.gz
  to main/libp/libpar-packer-perl/libpar-packer-perl_1.012-1.debian.tar.gz
libpar-packer-perl_1.012-1.dsc
  to main/libp/libpar-packer-perl/libpar-packer-perl_1.012-1.dsc
libpar-packer-perl_1.012-1_amd64.deb
  to main/libp/libpar-packer-perl/libpar-packer-perl_1.012-1_amd64.deb
libpar-packer-perl_1.012.orig.tar.gz
  to main/libp/libpar-packer-perl/libpar-packer-perl_1.012.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libpar-packer-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Dec 2011 07:52:40 +0100
Source: libpar-packer-perl
Binary: libpar-packer-perl
Architecture: source amd64
Version: 1.012-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libpar-packer-perl - utility for creating PAR archives and stand-alone executables
Closes: 650706
Changes: 
 libpar-packer-perl (1.012-1) unstable; urgency=low
 .
   * Team upload.
   * Imported Upstream version 1.012
     - Fixes CVE-2011-4114: PAR packed files are extracted to unsafe
       and predictable temporary directories. (Closes: #650706).
   * Refresh debian/copyright file.
     Update copyright years for included inc/Module/*
     Drop stanzas for inc/ included modules which are not anymore provided in
     source archive.
   * Update dependency on libmodule-scandeps-perl.
     Update versioned (Build-)Depends on libmodule-scandeps-perl to
     (>= 1.05).
   * Update dependency on libpar-perl.
     Update versioned (Build-)Depends on libpar-perl to (>= 1.005).
   * Refresh 01_manpage-ext.patch patch (offsets)
   * Refresh fix-with-new-par-name patch (offsets)
Checksums-Sha1: 
 8e1f8b787aaf4311204eb739ea0549e6f8fb305d 2375 libpar-packer-perl_1.012-1.dsc
 7b24eba5814d0655ff458284942a5380dc9b65a5 181387 libpar-packer-perl_1.012.orig.tar.gz
 8cd2c782a3945e57bfbefcb6d00b40aa08d4aa8e 7772 libpar-packer-perl_1.012-1.debian.tar.gz
 795d78abd787f033db6809bc71d4e425850555d8 1906862 libpar-packer-perl_1.012-1_amd64.deb
Checksums-Sha256: 
 7e9bad53e1f9ff45f1c649aa9a16b16cd3c52bca6dc6b4934ae2ebe28e7da15f 2375 libpar-packer-perl_1.012-1.dsc
 2aa41c1bd8e336b9c95a003e850d44a14472c05cb211d2752b1425591d4a79ba 181387 libpar-packer-perl_1.012.orig.tar.gz
 a5a72ad6848a9a205e14fa01aaacd7681a6b6f8d756b93374d8fd5daa98a862c 7772 libpar-packer-perl_1.012-1.debian.tar.gz
 083ad0be6d935f245b49938217067343eaa33d05d6f8ca604c9f37fb0e6bc0a0 1906862 libpar-packer-perl_1.012-1_amd64.deb
Files: 
 b0d0ef477bcd804549c9df35d61ea65a 2375 perl optional libpar-packer-perl_1.012-1.dsc
 40726da9a462b13590b80c24767d3857 181387 perl optional libpar-packer-perl_1.012.orig.tar.gz
 06e4729f98921c715e7a97b3c50cae2a 7772 perl optional libpar-packer-perl_1.012-1.debian.tar.gz
 6d6b8325b1c5e209929590e818a150c3 1906862 perl optional libpar-packer-perl_1.012-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO2xsmAAoJEHidbwV/2GP+btIP/2+7PH9pMi88YRNWW94FuKE0
cfCdWO72cReG9Wv2Ol1vG1mzDHQP4NvR8Wd5AXi95mPRNGlupx10gRefU8FYBF7B
Q46unhZQwexfgx/16BbzuBrxfTmU2QD5A2nA2rOTgace607Qm3328O7wbfAq+Hri
MAHFnO8wU+sV+Pm8q/Ud2QYoEsoZXgWW5lYVMowvBINAjTTt986R3jqQMmoP5Wkt
IkR/qt88vQRoBdZVY8cQDknpJg1ZdXq7ikigpE2NH2r41Q8N5W7F/OUZJFfzx6uL
ryG8NNJzu4O5BHy6PpGXNhf/iZSUCGdzxuI6kkDUYT8DTctgJjw3pnfZYiixSFpu
aFuQ/FkzjzfU4y8GF9sE2Yj0aC+LRSP9ZZZacMXjGLlg5PIFy9EbVpLGcSPCRSx/
KL2XzMqV/EOjBjc90Hd5957m+wmxJPQ+Ip0GBxPVio2lI/lxvAEEH9tdeKycOM8n
4UjXr0vvLvpGoY1QXAA1+1T1a2ge1LwBGAtM99kSNJGJO92lAQH+DSbZYHRdSyWb
r4RM0NPdrp/JmkjcGgn/7ZhTOScYRSJMuXUcZg5WINcZInLTh8HNAxVXVlh+QBNF
VhSPkIQLgUEcDYOmTL0FKKLcuMStISF+Wpq37S+MYE3wviX3U1GydldWiEby9Kl8
7arDGT4P1ZFUCr7/YJZB
=ujVV
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#650706; Package libpar-packer-perl. (Tue, 13 Dec 2011 21:12:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 13 Dec 2011 21:16:17 GMT) Full text and rfc822 format available.

Message #17 received at 650706@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 650706@bugs.debian.org
Subject: Propsed patch for Squeeze for libpar-packer-perl
Date: Tue, 13 Dec 2011 22:08:10 +0100
[Message part 1 (text/plain, inline)]
Hi 

here is the propsed debdiff so far for the upload to Squeeze.

Regards
Salvatore
[debdiff_libpar-packer-perl_1.006-1+squeeze1.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 28 Dec 2011 13:57:08 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 28 Dec 2011 13:57:08 GMT) Full text and rfc822 format available.

Message #22 received at 650706-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 650706-close@bugs.debian.org
Subject: Bug#650706: fixed in libpar-packer-perl 1.006-1+squeeze1
Date: Wed, 28 Dec 2011 13:55:38 +0000
Source: libpar-packer-perl
Source-Version: 1.006-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libpar-packer-perl, which is due to be installed in the Debian FTP archive:

libpar-packer-perl_1.006-1+squeeze1.debian.tar.gz
  to main/libp/libpar-packer-perl/libpar-packer-perl_1.006-1+squeeze1.debian.tar.gz
libpar-packer-perl_1.006-1+squeeze1.dsc
  to main/libp/libpar-packer-perl/libpar-packer-perl_1.006-1+squeeze1.dsc
libpar-packer-perl_1.006-1+squeeze1_amd64.deb
  to main/libp/libpar-packer-perl/libpar-packer-perl_1.006-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libpar-packer-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Dec 2011 20:44:15 +0100
Source: libpar-packer-perl
Binary: libpar-packer-perl
Architecture: amd64 source
Version: 1.006-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 650706
Description: 
 libpar-packer-perl - utility for creating PAR archives and stand-alone executables
Changes: 
 libpar-packer-perl (1.006-1+squeeze1) stable; urgency=low
 .
   * Team upload.
   * Add create-safe-temporary-directories.patch patch.
     Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
     predictable temporary directories. (Closes: #650706)
   * Bump (Build-)Depends on libpar-perl.
     Bump the dependencies to libpar-perl (>= 1.000-1+squeeze1) as this
     version contains the other half of the fix for CVE-2011-4114.
   * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch.
     Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER
     directory from previous builds may now be considered "unsafe")
Checksums-Sha1: 
 01ea0ea6429563d89ca5501c49da3152c26b88b8 1810918 libpar-packer-perl_1.006-1+squeeze1_amd64.deb
 36eda1efa5b30d5b93c2748270e9f1acd6123859 2457 libpar-packer-perl_1.006-1+squeeze1.dsc
 0c4a09f8c6e44adfe815a0459faf0bd5cf3ca1e8 8716 libpar-packer-perl_1.006-1+squeeze1.debian.tar.gz
Checksums-Sha256: 
 500b2f38a1512c19798a00851ecafee85420496f20d5caf074aae373de367de7 1810918 libpar-packer-perl_1.006-1+squeeze1_amd64.deb
 150eda4af4dd01f348e9426846fcd83a00d8e627e1d5d82f61d3f931d779c38c 2457 libpar-packer-perl_1.006-1+squeeze1.dsc
 6ed0d2805398c4e7dc4654da73a19e1257a2aed677917042f80bdd2f34a3ac72 8716 libpar-packer-perl_1.006-1+squeeze1.debian.tar.gz
Files: 
 a26fa5f9dfe6e629921c93179bc96c0d 1810918 perl optional libpar-packer-perl_1.006-1+squeeze1_amd64.deb
 fcdb17f24ed411cf970a40b72aace4fe 2457 perl optional libpar-packer-perl_1.006-1+squeeze1.dsc
 167e60d47773f4a30ebd7a4c11c9b935 8716 perl optional libpar-packer-perl_1.006-1+squeeze1.debian.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJO+WpWAAoJEHidbwV/2GP+cu4P/3sf5MsWbTvHkRv5PtnWYc4F
Gx6pggvwyU4I13GloK6drBSX3ZvMSipk5TAbcEPJvEzQWFUZxBjnV/8FCVsUbRxX
/0C1HpKTrCUA3evKWbADmS1JJjEoFuSUjA0AHPnI05uqE2FZxzMaItfzotUF7Rpl
6yS5xAeDzFJGH95rEjKgPKjaYOatVSwCey3cb0mZ65l5SHs7BeLxFjGwIRBug0bK
6gD4lSoJnuyoF/3CZ0UFWMPwwhJmfHo4nCaddiB7tgj8Pr9Nn9UdAZ2se2+TLxVT
dHxbB2vSdFB+mg6QYqLhBqtHfygt1wN9+o5nSmRGogDyjjPTUYkNv4ZD7NCHgoRO
MaOxufoo+EPbEauGEs6SbEl9/n29h+vTRNM0SAvhRflsZdoTaxXn5xtprGYD0XS1
nV0B5bUceCru1FdlFq3/rBRKK7t5Byb46L4bcqDHvebmiLZu88QKKcRA/it8n89H
tHLjT9ub1nqF3KN38ynKjcz0FeoUY9t7SCma68ICcR+3EWpFsxenKBtHtggxMx/U
nWPm4nKVEceuTGnHkkaKDY2w6D3IThNfuUZkK0I8j+aQpt0jp8jeCWTapIa7+iiT
EbGw4h02C/eWMwDkJrKO+MIPLXNhE7itcjJUjZynVjXRbLKmrj57XoDCPWfFJ71v
wEjBEEkK2H3rRvmyEAeX
=x5Yv
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 26 Jan 2012 07:33:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 15:50:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.