392671 – (CVE-2011-4363) <dev-perl/Proc-ProcessTable-0.480.0 symlink attack (CVE-2011-4363)

Bug 392671 (CVE-2011-4363) - <dev-perl/Proc-ProcessTable-0.480.0 symlink attack (CVE-2011-4363)

Summary: <dev-perl/Proc-ProcessTable-0.480.0 symlink attack (CVE-2011-4363)

Status:	RESOLVED FIXED

Alias:	CVE-2011-4363

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-11-30 19:58 UTC by Agostino Sarubbo
Modified:	2013-08-20 10:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2011-11-30 19:58:07 UTC

From debian bugzilla at $URL:


Proc::ProcessTable can cache TTY information (not enabled by default).
For this it uses the file /tmp/TTYDEVS.

If caching is enabled, there is a race condition that allows to
overwrite arbitrary files in ProcessTable.pm:

102       if( -r $TTYDEVSFILE )
103       {
104         $_ = Storable::retrieve($TTYDEVSFILE);
  [...]
107       else
108       {
  [...]
112         Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);

If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
link points to is overwritten.  Alternatively wrong information can be
provided.

The relevant code path can be reached with

  perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-10-08 22:37:56 UTC

CVE-2011-4363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4363):
  ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY
  information caching is enabled, allows local users to overwrite arbitrary
  files via a symlink attack on /tmp/TTYDEVS.

Comment 2 Sergey Popov (RETIRED) gentoo-dev

2013-07-17 21:43:18 UTC

According to https://rt.cpan.org/Public/Bug/Display.html?id=72862 this is fixed in 0.47(0.470.0 in Gentoo versioning system)

Comment 3 Mikle Kolyada (RETIRED) archtester

2013-07-18 14:13:53 UTC

version 0.480.0  in the tree

Comment 4 Sergey Popov (RETIRED) gentoo-dev

2013-07-18 14:34:03 UTC

(In reply to Mikle Kolyada from comment #3)
> version 0.480.0  in the tree

Thanks. Arches, please test and mark stable =dev-perl/Proc-ProcessTable-0.480.0

Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2013-07-18 15:52:05 UTC

Stable for HPPA.

Comment 6 Mikle Kolyada (RETIRED) archtester

2013-07-18 16:27:57 UTC

amd64/x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2013-07-21 15:36:41 UTC

alpha stable

Comment 8 Agostino Sarubbo gentoo-dev

2013-07-21 15:39:29 UTC

ia64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2013-07-21 16:07:28 UTC

ppc64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2013-07-21 17:24:02 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2013-07-21 17:55:53 UTC

sparc stable

Comment 12 Tobias Heinlein (RETIRED) gentoo-dev

2013-07-26 12:12:04 UTC

Ready for vote, I vote NO.

Comment 13 Sergey Popov (RETIRED) gentoo-dev

2013-08-20 10:15:14 UTC

GLSA vote: No

Closing as noglsa