Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 389839 (CVE-2011-4115)

Summary: <dev-perl/Parallel-ForkManager-1.20.0: Insecure Temporary Files (CVE-2011-4115)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: perl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/46784/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2011-11-07 20:53:35 UTC 
From secunia security advisory at $URL:

Description:
The security issue is caused due to the application using temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 0.7.9. Other versions may also be affected.


Solution:
Restrict access to trusted users only.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2012-12-25 12:35:41 UTC 
Fixed in dev-perl/Parallel-ForkManager-1.20.0
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-25 16:15:15 UTC 
Arches, please test and mark stable:
=dev-perl/Parallel-ForkManager-1.20.0
Target keywords : "alpha amd64 ia64 sparc x86"
Comment 3 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-12-25 16:21:55 UTC 
(In reply to comment #2)
> Target keywords : "alpha amd64 ia64 sparc x86"

Have you forgot ppc?
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-25 16:30:53 UTC 
(In reply to comment #3)
> Have you forgot ppc?

No.

In case of security bugs, we stabilize only on arch which have stable keyword.
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-25 16:43:23 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-25 16:43:45 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-25 22:28:16 UTC 
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-28 15:09:21 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-29 08:54:20 UTC 
alpha stable
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-29 13:19:48 UTC 
GLSA vote: yes.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2013-01-02 18:48:13 UTC 
GLSA Vote: yes. Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-17 09:11:32 UTC 
This issue was resolved and addressed in
 GLSA 201310-11 at http://security.gentoo.org/glsa/glsa-201310-11.xml
by GLSA coordinator Sergey Popov (pinkbyte).