Debian Bug report logs - #650707
libpar-perl: PAR packed files are extracted to unsafe and predictable temporary directories

version graph

Package: libpar-perl; Maintainer for libpar-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libpar-perl is src:libpar-perl.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 2 Dec 2011 06:39:02 UTC

Severity: important

Tags: security

Found in versions libpar-perl/1.002-1, libpar-perl/1.000-1

Fixed in versions libpar-perl/1.005-1, libpar-perl/1.000-1+squeeze1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#650707; Package libpar-perl. (Fri, 02 Dec 2011 06:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 02 Dec 2011 06:39:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpar-perl: PAR packed files are extracted to unsafe and predictable temporary directories
Date: Fri, 02 Dec 2011 07:36:02 +0100
Package: libpar-perl
Version: 1.002-1
Severity: important
Tags: security

Hi

Changelog for new upstream release of libpar-perl contains:

[Changes for 1.004 - Nov 30, 2011]
  - back out r1241: it causes errors in PAR::Packer's test suite
  - change "unsafe directory" error message to match the wording 
    used by PAR::Packer
  - remove "debian" sub directory: it isn't released to CPAN and
    Debian will supply its own anyway
  - remove some cruft from MANIFEST.SKIP

[Changes for 1.003 - Nov 28, 2011]
  -  RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
     and predictable temporary directories
     (Note: this bug was originally reported against PAR::Packer, but
     it applies to PAR as well)
     - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
     - if it already exists, make sure that (and bail out if not)
       - it's not a symlink
       - it's mode 0700
       - it's owned by USER
  - Fix a problem packing XML::LibXSLT on Windows (see the thread starting 
    with http://www.nntp.perl.org/group/perl.par/2011/02/msg4919.html)
  - Die (with a hopefully useful message) if any error is encountered 
    during an Archive::Zip extract operation

Version before 1.003 had the issue that PAR packed files are extracted
to unsafe and predictable temporary directories [1].

 [1] https://rt.cpan.org/Public/Bug/Display.html?id=69560

This is CVE-2011-4114.

Regards
Salvatore

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash




Bug Marked as found in versions libpar-perl/1.000-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 03 Dec 2011 21:03:05 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 03 Dec 2011 21:57:03 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 03 Dec 2011 21:57:03 GMT) Full text and rfc822 format available.

Message #12 received at 650707-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 650707-close@bugs.debian.org
Subject: Bug#650707: fixed in libpar-perl 1.005-1
Date: Sat, 03 Dec 2011 21:55:25 +0000
Source: libpar-perl
Source-Version: 1.005-1

We believe that the bug you reported is fixed in the latest version of
libpar-perl, which is due to be installed in the Debian FTP archive:

libpar-perl_1.005-1.debian.tar.gz
  to main/libp/libpar-perl/libpar-perl_1.005-1.debian.tar.gz
libpar-perl_1.005-1.dsc
  to main/libp/libpar-perl/libpar-perl_1.005-1.dsc
libpar-perl_1.005-1_all.deb
  to main/libp/libpar-perl/libpar-perl_1.005-1_all.deb
libpar-perl_1.005.orig.tar.gz
  to main/libp/libpar-perl/libpar-perl_1.005.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650707@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libpar-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 03 Dec 2011 21:50:05 +0100
Source: libpar-perl
Binary: libpar-perl
Architecture: source all
Version: 1.005-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libpar-perl - Perl redistributable module packaging framework
Closes: 650707
Changes: 
 libpar-perl (1.005-1) unstable; urgency=low
 .
   * Team upload.
 .
   [ Ansgar Burchardt ]
   * debian/control: Convert Vcs-* fields to Git.
 .
   [ Salvatore Bonaccorso ]
   * debian/copyright: Replace DEP5 Format-Specification URL from
     svn.debian.org to anonscm.debian.org URL.
   * Imported Upstream version 1.005
     - Fixes CVE-2011-4114: PAR packed files are extracted to unsafe
       and predictable temporary directories. (Closes: #650707).
   * Refresh debian/copyright file.
     Update copyright years for included inc/Module/* files.
     Remove copyright stanza for inc/Test/Builder/IO/Scalar.pm as this is not
     included anymore in the source package.
Checksums-Sha1: 
 668d31cc75b8da3b12b09064fb5a53497e25497b 2242 libpar-perl_1.005-1.dsc
 2d9c1ff3a243607374e3f9f1fb61c3d1bb4d8dc1 88293 libpar-perl_1.005.orig.tar.gz
 1f4124ebe2e3334a7147c17459c662552962680a 5246 libpar-perl_1.005-1.debian.tar.gz
 55bb4c6de9af3bb34968b99e15e561ac6b67b87c 102476 libpar-perl_1.005-1_all.deb
Checksums-Sha256: 
 9fbb60191b160a1b8ec0ece854f596534549d5ab643cc41f1fc6dcb33ac02825 2242 libpar-perl_1.005-1.dsc
 c5e2aeb0380c132de251c3f4eb2fad3953967b94b2869f800956aaceab5c484f 88293 libpar-perl_1.005.orig.tar.gz
 08fe880f673aabb3b7812a63dc46f93ba4f8fa04d77cb90fe50d2e28daaff044 5246 libpar-perl_1.005-1.debian.tar.gz
 188fe5612a4a0bede21163cd1c6f10b08a7d66f13434dbf3684fa3b944e9368d 102476 libpar-perl_1.005-1_all.deb
Files: 
 4fc34a18a2ac014b3afd56730cfd5f6c 2242 perl optional libpar-perl_1.005-1.dsc
 a1a7d8cc4deb106c3e04b190fa2d9325 88293 perl optional libpar-perl_1.005.orig.tar.gz
 c375bf20d999f50c278c53c0735b10d9 5246 perl optional libpar-perl_1.005-1.debian.tar.gz
 dfa684e90e6f7ff3838f304afe19615d 102476 perl optional libpar-perl_1.005-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO2oymAAoJEHidbwV/2GP+hDUQAMyu6xe2s+bbTCdd6H1hJXPt
Ww05jXzYnOlWD1vRKdhgFNosS/+xuMYJ4JDj++bRSPKO0YUwQNp/iIPr7cSjmhtN
0DB56ymGme0yUvzpkZJq3gCFgLQJ8tDWTneFPETr7Wnm7fsWJPxPQjIylLR35Pr/
PfHZ/Rv0NKj5EvdCDOR7aVjn/YqdO6FUhRvpD/+Boh4CSFtYg9Re6rdwgxz1jp7Y
GuIxvWAFeef007oG3pfssweqOG5SVSZ4lflKzzDpmhE1d+L+Zj9d9Tbhw3Q0Pouo
mLwQtV9C5Nf4jkZJvNZmItopIKWzoA0l8om8WetQ1MMevpJsJWw7dGcDcLujpyAm
GfCxIb2MkUd8u1rbSG4VJ5Q6+TdL2IB8MszJlozKDs0rr6LTDoMUTYtyyIm5xNQy
RUoPic+ZDH/RpBRhmL9Z20Gh9f0mrbKuUSvSLJsJSeN6yVH7/oIDJ1isnxEQ5ZhM
an9yprFexe7Xhqy0jhHhSxoRDBGXFACYz6YTdyP94LLq1eC+tdgNfPY7evt2/S0G
xIKKa2xzKxR1fqGdQBf8fPIeV5+OBYjbJu1DYtOC2qQmGGPAsuoz133VyJ+k1BQs
o/RaSejTKH7YioVNzgadp3G9xAxO70psRi0mlqtR49EXJ4zf6cRMew5+xh5gydbE
NgO0QEBY8v410rzo7iwK
=H49o
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#650707; Package libpar-perl. (Wed, 07 Dec 2011 20:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 07 Dec 2011 20:06:05 GMT) Full text and rfc822 format available.

Message #17 received at 650707@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 650707@bugs.debian.org
Subject: Preliminary proposed debdiff for Squeeze
Date: Wed, 7 Dec 2011 21:03:21 +0100
[Message part 1 (text/plain, inline)]
Hi

Attached is a (preliminary) proposed debdiff for the issue, and
applying for squeeze (this is prepared in git repository but not yet
pushed).

I did not found time to do the same for libpar-packer-perl so far.

Regards
Salvatore
[debdiff_libpar-perl_1.000-1+squeeze1.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 28 Dec 2011 02:00:06 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 28 Dec 2011 02:00:06 GMT) Full text and rfc822 format available.

Message #22 received at 650707-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 650707-close@bugs.debian.org
Subject: Bug#650707: fixed in libpar-perl 1.000-1+squeeze1
Date: Wed, 28 Dec 2011 01:57:00 +0000
Source: libpar-perl
Source-Version: 1.000-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libpar-perl, which is due to be installed in the Debian FTP archive:

libpar-perl_1.000-1+squeeze1.debian.tar.gz
  to main/libp/libpar-perl/libpar-perl_1.000-1+squeeze1.debian.tar.gz
libpar-perl_1.000-1+squeeze1.dsc
  to main/libp/libpar-perl/libpar-perl_1.000-1+squeeze1.dsc
libpar-perl_1.000-1+squeeze1_all.deb
  to main/libp/libpar-perl/libpar-perl_1.000-1+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650707@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libpar-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Dec 2011 20:31:44 +0100
Source: libpar-perl
Binary: libpar-perl
Architecture: source all
Version: 1.000-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libpar-perl - Perl redistributable module packaging framework
Closes: 650707
Changes: 
 libpar-perl (1.000-1+squeeze1) stable; urgency=low
 .
   * Team upload.
   * Add create-safe-temporary-directories.patch patch.
     Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
     predictable temporary directories. (Closes: #650707)
   * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch.
     Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER
     directory from previous builds may now be considered "unsafe")
Checksums-Sha1: 
 873327edce87a8012d8ebbb8d788b8d121ba0668 2327 libpar-perl_1.000-1+squeeze1.dsc
 55674fd6d791526dd0219863ab67803c23812245 6806 libpar-perl_1.000-1+squeeze1.debian.tar.gz
 ba80dd4a1b190620a4b7e988700b07244a69fba9 101240 libpar-perl_1.000-1+squeeze1_all.deb
Checksums-Sha256: 
 9ab061ce8fcbd128c825559778932c2bbeb7ed6071cfa3fe5cd72c0a73a96334 2327 libpar-perl_1.000-1+squeeze1.dsc
 ec19a76109204f14fa1a1a4e723641f29e8354bf1cce4c91a78aa9be54c27700 6806 libpar-perl_1.000-1+squeeze1.debian.tar.gz
 a97dd5ebfd4155b34db35dc5dd4e83716ec48d08467bdbc7d73bec5c47cf87ef 101240 libpar-perl_1.000-1+squeeze1_all.deb
Files: 
 fabd8652d73edad3f4a144584d0f8050 2327 perl optional libpar-perl_1.000-1+squeeze1.dsc
 b7f47bf949d8a978ad6aca72673cae4c 6806 perl optional libpar-perl_1.000-1+squeeze1.debian.tar.gz
 26d712257dae39b9fa116546697bf46e 101240 perl optional libpar-perl_1.000-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO7kAdAAoJEHidbwV/2GP+wkYQANS6JIElxVIKLS8MtMEVTwmR
IS0r18mmeXM2aeHbLpB+48pSoeOO93RzmEc4Ju9O6i3DHTngr+x8LenT1zoWtqFI
oCysuaXxKzdBJdwYgxnZlGmdeEeNhypHoTABVM1mrkbqcB0Y5uRgk200+754Y71D
PnPsX6qNxQorY9XcqB2gPlwGltjdLsd2Hks0mWIpkYC23cYi8Kammi9Zg9FL1TFT
ofQqm//bpbREGgl1pGExkBNlkCqW7FcTr/iFA/4WC+R+8TVzyfqcXUwYO8Ekwaw8
hXGj6J7p+EqrYrM7QvNfAImQE+ai3+G3KSMoak/wHFHimiHygxjWJ/s48cCU2wRP
oQiveNEIoVYt12cEDYSx7ZEieEW660XB1lF8iLEBmV4sBNzSbhqKa3M5NyP5H2tZ
YrlhmMWHnFPDZvAz9mSwkPXYX+U+s9klqV8Di1VmOWuvgkV6JlhBsuE1TJgedvbz
C6KH7I3Slbw72KVx31uuozMqFz+YfS4C4EhrX+QvOE5DkYb5crLVYhFoJwfvBIzl
+yFUp65iR4e8NuC9QMclzb+8N+/9TSC6q/BKf+vATZYxEATmsyJKSit1G1s8Qwy8
6L0HoOkZZa0a35IKzrVq+YPUPpuPnL4pUk6Sq2VnZiXO49jZxbvzWphIUpsw4USs
nw316nQ/E9IgmiGFX9rm
=6iJC
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 25 Jan 2012 07:33:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:24:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.