[perl-PAR-Packer/f14] Fix CVE-2011-4114

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

commit 88f43bf7a8840b8285a50afab968c4c9bdc04c01
Author: Petr Písař <ppisar@xxxxxxxxxx>
Date:   Tue Dec 6 15:11:15 2011 +0100

    Fix CVE-2011-4114

 perl-PAR-Packer-1.010-CVE-2011-4114.patch |   84 +++++++++++++++++++++++++++++
 perl-PAR-Packer.spec                      |    8 +++-
 2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-Packer-1.010-CVE-2011-4114.patch b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
new file mode 100644
index 0000000..b951322
--- /dev/null
+++ b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
@@ -0,0 +1,84 @@
+From 9aa3d40e0b24bbd3dfa5d51198ffc289fa901c9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx>
+Date: Tue, 6 Dec 2011 14:22:04 +0100
+Subject: [PATCH] Fix CVE-2011-4114 ported for 1.010.
+
+From: r1296 | rschupp | 2011-11-14 21:01:18 +0100 (Po, 14 lis 2011) | 11 lines
+
+myldr/mktmpdir.c:
+- (par_mktmpdir) CVE-2011-4114:
+  - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+  - if it already exists, check that (and bail out if not)
+    - it's not a symlink
+    - it's mode 0700
+    - it's owned by USER
+
+NOTE: PAR contains a "copy" of par_mktmpdir (in Perl); this
+must be fixed as well and we must require the fixed version.
+
+Adjusted error message from r1313 is included.
+---
+ myldr/mktmpdir.c |   38 +++++++++++++++++++++++++++++++++++---
+ 1 files changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/myldr/mktmpdir.c b/myldr/mktmpdir.c
+index 6699831..2293268 100644
+--- a/myldr/mktmpdir.c
++++ b/myldr/mktmpdir.c
+@@ -161,10 +161,42 @@ char *par_mktmpdir ( char **argv ) {
+        stmpdir2 is the top $TEMP/par-$USER, needed to build stmpdir.  We
+        need 2 buffers because snprintf() can't write to a buffer it's
+        reading from. */
+-    stmpdir = malloc( stmp_len );
+     stmpdir2 = malloc( stmp_len );
+     sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username);
+-    my_mkdir(stmpdir2, 0755);
++#ifdef WIN32
++    _mkdir(stmpdir2);         /* FIXME bail if error (other than EEXIST) */
++#else
++    {
++        struct stat st;
++
++        if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) {
++            fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n", 
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        /* now check that:
++         * - stmpdir2 is a directory (and not a symlink)
++         * - stmpdir2 is owned by the user
++         * - stmpdir2 has mode 0700
++         */
++        if (lstat(stmpdir2, &st) == -1) {
++            fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n",
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        if (!S_ISDIR(st.st_mode)
++            || st.st_uid != getuid()
++            || (st.st_mode & 0777) != 0700 ) {
++            fprintf(stderr, "%s: private subdirectory %s is unsafe (please remove it and retry your operation)\n",
++                    argv[0], stmpdir2);
++            return NULL;
++        }
++    }
++#endif
++
++    stmpdir = malloc( stmp_len );
+ 
+     /* Doesn't really work - XXX */
+     val = par_getenv( "PATH" );
+@@ -250,7 +282,7 @@ char *par_mktmpdir ( char **argv ) {
+            a prior invocation crashed leaving garbage in a temp directory that
+            might interfere. */
+ 
+-        while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) {
++        while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) {
+             sprintf(
+                 stmpdir,
+                 "%s%stemp-%u-%u%s",
+-- 
+1.7.7.4
+
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index 9473177..c0004b4 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,11 +1,13 @@
 Name:           perl-PAR-Packer
 Version:        1.005
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        PAR Packager
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/PAR-Packer/
 Source0:        http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-Packer-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #753957, included in upstream 1.011.
+Patch0:         perl-PAR-Packer-1.010-CVE-2011-4114.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  perl(Archive::Zip) >= 1
 BuildRequires:  perl(Compress::Zlib) >= 1.3
@@ -23,6 +25,7 @@ stand-alone executables, perl scripts and PAR files.
 
 %prep
 %setup -q -n PAR-Packer-%{version}
+%patch0 -p1
 
 %build
 # DEBUG variable needed to disable stripping binary
@@ -64,6 +67,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man3/*
 
 %changelog
+* Tue Dec 06 2011 Petr Pisar <ppisar@xxxxxxxxxx> - 1.005-4
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #753957)
+
 * Fri Feb 25 2011 Petr Pisar <ppisar@xxxxxxxxxx> - 1.005-3
 - Do not strip binaries
 
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux