78634 2005-01-19 00:56 0000 dev-perl/DBI CAN-2005-0077 Insecure temporary files 2005-01-26 12:42:32 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0721.html A3 [glsa] jaervosz P2 normal --- 75696 1 jaervosz@gentoo.org security@gentoo.org esammer@gentoo.org mcummings@gentoo.org jaervosz@gentoo.org 2005-01-19 00:56:08 0000 Javier Fern jaervosz@gentoo.org 2005-01-19 00:56:08 0000 Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a tmporary file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the program. jaervosz@gentoo.org 2005-01-19 00:57:13 0000 No upstream patch yet. Will attach Debian workaround patch later if needed. koon@gentoo.org 2005-01-24 07:53:37 0000 Created an attachment (id=49377) CAN-2005-0077.patch Patch from Martin Schulze @ debian mcummings@gentoo.org 2005-01-24 13:07:06 0000 Patch looks to apply cleanly on all versions in dev-perl. Just give me the word and we can roll this out. jaervosz@gentoo.org 2005-01-24 13:19:57 0000 Micheal please attach the updated ebuild to this bug and we will call needed arch testers individually. mcummings@gentoo.org 2005-01-24 16:00:41 0000 Created an attachment (id=49432) as requested, 37-r1 mcummings@gentoo.org 2005-01-24 16:01:07 0000 Created an attachment (id=49433) 38-r1 mcummings@gentoo.org 2005-01-24 16:01:57 0000 two revision posted (based on KEYWORDing). 1.46 went into the tree as a new copy from upstream a few minutes ago (the two attached are in no way in portage atm). jaervosz@gentoo.org 2005-01-25 10:04:09 0000 This is public now. Micheal please commit the updated ebuild. mcummings@gentoo.org 2005-01-25 10:38:35 0000 posted koon@gentoo.org 2005-01-26 00:41:26 0000 GLSA should probably be grouped with bug 75696 (both Perl, both tmpfile vulns). Michael, could you please bump on dev-perl/perl side too ? koon@gentoo.org 2005-01-26 12:42:32 0000 GLSA 200501-38 49377 2005-01-24 07:53 0000 CAN-2005-0077.patch CAN-2005-0077.patch text/plain LS0tIGxpYmRiaS1wZXJsLTEuMjEub3JpZy9saWIvREJJL1Byb3h5U2VydmVyLnBtCisrKyBsaWJk YmktcGVybC0xLjIxL2xpYi9EQkkvUHJveHlTZXJ2ZXIucG0KQEAgLTMzLDEyICszMyw2IEBACiBw YWNrYWdlIERCSTo6UHJveHlTZXJ2ZXI7CiAKIAotbXkgJGhhdmVGaWxlU3BlYyA9IGV2YWwgeyBy ZXF1aXJlIEZpbGU6OlNwZWMgfTsKLW15ICR0bXBEaXIgPSAkaGF2ZUZpbGVTcGVjID8gRmlsZTo6 U3BlYy0+dG1wZGlyKCkgOgotICAgICgkRU5WeydUTVAnfSB8fCAkRU5WeydURU1QJ30gfHwgJy90 bXAnKTsKLW15ICRkZWZhdWx0UGlkRmlsZSA9ICRoYXZlRmlsZVNwZWMgPwotICAgIEZpbGU6OlNw ZWMtPmNhdGRpcigkdG1wRGlyLCAiZGJpcHJveHkucGlkIikgOiAiL3RtcC9kYmlwcm94eS5waWQi OwotCiAKICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKICMKQEAgLTEwNyw3ICsxMDEsOCBAQAogICAgIH0g ZWxzZSB7CiAJJG8tPnsnbW9kZSd9ID0gJ3NpbmdsZSc7CiAgICAgfQotICAgICRvLT57J3BpZGZp bGUnfSAgICA9ICRkZWZhdWx0UGlkRmlsZTsKKyAgICAjIE5vIHBpZGZpbGUgYnkgZGVmYXVsdCwg Y29uZmlndXJhdGlvbiBtdXN0IHByb3ZpZGUgb25lIGlmIG5lZWRlZAorICAgICRvLT57J3BpZGZp bGUnfSAgICA9ICdub25lJzsKICAgICAkby0+eyd1c2VyJ30gICAgICAgPSB1bmRlZjsKIH07CiAK QEAgLTQ5MSw3ICs0ODYsNyBAQAogPWl0ZW0gSTxwaWRmaWxlPiAoQjwtLXBpZGZpbGU9ZmlsZT4p CiAKIChVTklYIG9ubHkpIElmIHRoaXMgb3B0aW9uIGlzIHByZXNlbnQsIGEgUElEIGZpbGUgd2ls bCBiZSBjcmVhdGVkIGF0IHRoZQotZ2l2ZW4gbG9jYXRpb24uCitnaXZlbiBsb2NhdGlvbi4gRGVm YXVsdCBpcyBkbyBub3QgY3JlYXRlIGEgcGlkZmlsZS4KIAogPWl0ZW0gSTx1c2VyPiAoQjwtLXVz ZXI9dWlkPikKIApvbmx5IGluIHBhdGNoMjoKdW5jaGFuZ2VkOgotLS0gbGliZGJpLXBlcmwtMS4y MS5vcmlnL2RiaXByb3h5LlBMCisrKyBsaWJkYmktcGVybC0xLjIxL2RiaXByb3h5LlBMCkBAIC0x NDMsNyArMTQzLDcgQEAKID1pdGVtIEI8LS1waWRmaWxlPWZpbGU+CiAKIChVTklYIG9ubHkpIElm IHRoaXMgb3B0aW9uIGlzIHByZXNlbnQsIGEgUElEIGZpbGUgd2lsbCBiZSBjcmVhdGVkIGF0IHRo ZQotZ2l2ZW4gbG9jYXRpb24uCitnaXZlbiBsb2NhdGlvbi4gRGVmYXVsdCBpcyBkbyBub3QgY3Jl YXRlIGEgcGlkZmlsZS4KIAogPWl0ZW0gQjwtLXVzZXI9dWlkPgogCg== 49432 2005-01-24 16:00 0000 as requested, 37-r1 DBI-1.37-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA0IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2Rldi1wZXJsL0RCSS9EQkktMS4zNy5lYnVpbGQs diAxLjEwIDIwMDQvMTAvMTYgMjM6NTc6MjEgcmFjIEV4cCAkCmluaGVyaXQgcGVybC1tb2R1bGUg ZXV0aWxzCgpERVNDUklQVElPTj0iVGhlIFBlcmwgREJJIE1vZHVsZSIKU1JDX1VSST0iaHR0cDov L3d3dy5jcGFuLm9yZy9tb2R1bGVzL2J5LW1vZHVsZS9EQkkvJHtQfS50YXIuZ3oiCkhPTUVQQUdF PSJodHRwOi8vd3d3LmNwYW4ub3JnL21vZHVsZXMvYnktbW9kdWxlL0RCSS8ke1B9LnJlYWRtZSIK ClNMT1Q9IjAiCkxJQ0VOU0U9Inx8ICggQXJ0aXN0aWMgR1BMLTIgKSIKS0VZV09SRFM9Ing4NiBh bWQ2NCBwcGMgfmFscGhhIHNwYXJjIGhwcGEiCklVU0U9IiIKCkRFUEVORD0iJHtERVBFTkR9Cgk+ PWRldi1wZXJsL1BsUlBDLTAuMiIKCm15ZG9jPSJUb0RvIgoKc3JjX3VucGFjaygpewoJdW5wYWNr ICR7QX0KCWNkICR7U30KCWVwYXRjaCAke0ZJTEVTRElSfS9DQU4tMjAwNS0wMDc3LnBhdGNoCn0K 49433 2005-01-24 16:01 0000 38-r1 DBI-1.38-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA0IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2Rldi1wZXJsL0RCSS9EQkktMS4zOC5lYnVpbGQs diAxLjE2IDIwMDQvMTAvMTYgMjM6NTc6MjEgcmFjIEV4cCAkCgppbmhlcml0IHBlcmwtbW9kdWxl IGV1dGlscwoKREVTQ1JJUFRJT049IlRoZSBQZXJsIERCSSBNb2R1bGUiCkhPTUVQQUdFPSJodHRw Oi8vd3d3LmNwYW4ub3JnL21vZHVsZXMvYnktbW9kdWxlL0RCSS8ke1B9LnJlYWRtZSIKU1JDX1VS ST0iaHR0cDovL3d3dy5jcGFuLm9yZy9tb2R1bGVzL2J5LW1vZHVsZS9EQkkvJHtQfS50YXIuZ3oi CgpMSUNFTlNFPSJ8fCAoIEFydGlzdGljIEdQTC0yICkiClNMT1Q9IjAiCktFWVdPUkRTPSJ4ODYg fnBwYyBzcGFyYyBtaXBzIGFscGhhIGFybSBocHBhIGFtZDY0IGlhNjQgczM5MCBwcGM2NCIKSVVT RT0iIgoKREVQRU5EPSI+PWRldi1wZXJsL1BsUlBDLTAuMiIKCm15ZG9jPSJUb0RvIgoKc3JjX3Vu cGFjaygpewoJdW5wYWNrICR7QX0KCWNkICR7U30KCWVwYXRjaCAke0ZJTEVTRElSfS9DQU4tMjAw NS0wMDc3LnBhdGNoCn0K