Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389839 (CVE-2011-4115) - <dev-perl/Parallel-ForkManager-1.20.0: Insecure Temporary Files (CVE-2011-4115)
Summary: <dev-perl/Parallel-ForkManager-1.20.0: Insecure Temporary Files (CVE-2011-4115)
Status: RESOLVED FIXED
Alias: CVE-2011-4115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46784/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-07 20:53 UTC by Agostino Sarubbo
Modified: 2013-10-17 09:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-07 20:53:35 UTC 
From secunia security advisory at $URL:

Description:
The security issue is caused due to the application using temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 0.7.9. Other versions may also be affected.


Solution:
Restrict access to trusted users only.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2012-12-25 12:35:41 UTC 
Fixed in dev-perl/Parallel-ForkManager-1.20.0
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-25 16:15:15 UTC 
Arches, please test and mark stable:
=dev-perl/Parallel-ForkManager-1.20.0
Target keywords : "alpha amd64 ia64 sparc x86"
Comment 3 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-12-25 16:21:55 UTC 
(In reply to comment #2)
> Target keywords : "alpha amd64 ia64 sparc x86"

Have you forgot ppc?
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-25 16:30:53 UTC 
(In reply to comment #3)
> Have you forgot ppc?

No.

In case of security bugs, we stabilize only on arch which have stable keyword.
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-25 16:43:23 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-25 16:43:45 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-25 22:28:16 UTC 
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-28 15:09:21 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-29 08:54:20 UTC 
alpha stable
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-29 13:19:48 UTC 
GLSA vote: yes.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2013-01-02 18:48:13 UTC 
GLSA Vote: yes. Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-17 09:11:32 UTC 
This issue was resolved and addressed in
 GLSA 201310-11 at http://security.gentoo.org/glsa/glsa-201310-11.xml
by GLSA coordinator Sergey Popov (pinkbyte).