Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 --- Comment #4 from Petr Pisar <ppisar@xxxxxxxxxx> 2011-12-02 09:48:55 EST --- Upstream has released PAR-Packer-1.011 with respect to this vulnerability. It states in change log this version fixes this issue: [Changes for 1.011 - Dec 1, 2011] * Bug fixes, etc. - RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 - if it already exists, make sure that (and bail out if not) - it's not a symlink - it's mode 0700 - it's owned by USER - depend on PAR 1.004 (which contains the other half of the fix for CVE-2011-4114) and that complete fix requires PAR-1.004 (advertised here in commet #2). As you can see upstream does not check path components. Is this fix sufficient? In my opinion, it is. I think any code needs a safe entry point and assumptions parent directory is safe is one of this. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
