Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 66360

Summary: dev-lang/perl: Insecure tempfile handling
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: mcummings, perl, rac
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A3 [glsa] lewk
Package list:
Runtime testing required: ---
Description Flags
Edited version none

Description Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:38:49 UTC
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:39:16 UTC
Created attachment 41099 [details, diff]

Trustix patch to fix tempfile insecurities.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:40:05 UTC
perl herd,

please verify and apply patch if necessary.  perl-5.8.4-r1 looks to be vulnerable to this issue.
Comment 3 Michael Cummings (RETIRED) gentoo-dev 2004-10-05 13:42:03 UTC
Lewk - any hints on which files in the perl distribution tree...? Maybe a url for the advisory...?
Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-10-05 13:53:20 UTC
Created attachment 41172 [details, diff]

Sorry, I added the wrong patch.  Here is the Trustix patch to fix tempfile
vulnerabilities in perl-5.8.3, but 5.8.4-r1 looks to have the same issues.
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-10-07 18:08:21 UTC
Any updates on whether or not you guys want this patch?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-10-09 03:27:01 UTC
Perl team, please comment/apply patch.
Comment 7 Michael Cummings (RETIRED) gentoo-dev 2004-10-09 05:07:36 UTC
We are reviewing. Most of it is silly - changing /tmp to /var/tmp - when there is no security advantage whatsoever in it. 
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-10-09 05:37:52 UTC
There are silly parts (like the .pod changes), but the changes to /tmp/X to /var/run/X make sense... as one is world-writeable while the other is not.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-10-20 04:39:18 UTC
This is CAN-2004-0976
Comment 10 Michael Cummings (RETIRED) gentoo-dev 2004-10-20 11:17:09 UTC
Check your tmps again. They are the same perms. There is very little of value in this patch.
Comment 11 Michael Cummings (RETIRED) gentoo-dev 2004-10-20 11:20:33 UTC
lmcummings@sys947 ~ $ ls -al /|grep tmp
drwxrwxrwt   22 root root     8192 Oct 20 14:14 tmp
mcummings@sys947 ~ $ ls -al /var|grep tmp
drwxrwxrwt  12 root   root   4096 Oct 20 10:22 tmp

Same on every bare and not so bare gentoo box I can find (5 total). There is no value to that portion of the patch, it isn't any more secure one way than the other (not to mention if you want to get all technical, /var/tmp is supposed to be reserved for temporary files that persist between boots, and why would you want your perl compile writing in there??)
Comment 12 Michael Cummings (RETIRED) gentoo-dev 2004-10-20 11:27:04 UTC
Sorry, last comment was based on the wrong patch set:/

Still - this patch is largely worthless (sorry, but it is). Most of it involves patching inline documentation and pods. This isn't the huge security risk that you are implying, but we will attempt to look more when we/I can.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-10-20 11:58:30 UTC
If it just patches the doc, then it should not be applied. If it patches even just one tempfile vuln, then it should.

I'm not implying any huge security risk to justify it needs to be quickly done. Our job is also to quickly patch small security risks.
Comment 14 Luke Macken (RETIRED) gentoo-dev 2004-10-20 12:10:09 UTC

They are going to be using the same patch (before backporting).
Comment 15 Michael Cummings (RETIRED) gentoo-dev 2004-10-20 13:16:38 UTC
 You cannot expect perl herd to include patches like:

+# XXX: The temporary file handling implemented in here is crap.  It should
+# be re-done making use of File::Temp.

Yes, that is the sum total of the patch to I am weeding out the documentation patches to be able to evalute the real parts.

Comment 16 Michael Cummings (RETIRED) gentoo-dev 2004-10-20 13:31:01 UTC
Created attachment 42265 [details]
Edited version

This is what I am left after removing the documentation changes and the patches
that have already gone upstream (this patch was for perl 5.8.3, I compared it
to the next version up that we still support wich is 5.8.4 - and that doesn't
mean that even more can be removed when compared to 5.8.5, I just haven't
gotten that far). 500 lines less.
Comment 17 Luke Macken (RETIRED) gentoo-dev 2004-10-28 13:20:07 UTC
According to other advisories, the majority of these vulnerabilities have been fixed in version 5.8.5.
Comment 18 Michael Cummings (RETIRED) gentoo-dev 2004-10-28 17:38:37 UTC
All but a small handful were fixed by 5.8.4, and soon as I find free time, I'll confirm the remaining ones were corrected in 5.8.5 and/or the independant modules that replace them.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2004-11-04 02:30:46 UTC
For information, Ubuntu patched their 5.8.4 and issued the following advisory :

Ubuntu Security Notice USN-16-1		  November 02, 2004
perl vulnerabilities

Recently, Trustix Secure Linux discovered some vulnerabilities in the
perl package. The utility "instmodsh", the Perl package "",
and several test scripts (which are not shipped and only used during
build) created temporary files in an insecure way, which could allow a
symlink attack to create or overwrite arbitrary files with the
privileges of the user invoking the program, or building the perl
package, respectively.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-11 08:46:58 UTC
Micheal any news on this one?
Comment 21 Robert Coie (RETIRED) gentoo-dev 2004-12-04 12:17:02 UTC
The few bits that are still relevant are added to 5.8.5-r2 and 5.8.6-r1.
Comment 22 Luke Macken (RETIRED) gentoo-dev 2004-12-04 16:46:02 UTC
Please do not close security bugs...

Arches, please mark stable.
Comment 23 SpanKY gentoo-dev 2004-12-05 01:19:57 UTC
already done for a bunch of arches ;)
Comment 24 Markus Rothe (RETIRED) gentoo-dev 2004-12-05 03:01:19 UTC
perl-5.8.5-r2 is now stable on ppc64
Comment 25 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-12-05 06:45:33 UTC
perl-5.8.5-r2 stable on alpha.
Comment 26 Karol Wojtaszek (RETIRED) gentoo-dev 2004-12-05 13:29:19 UTC
Already marked stable on amd64
Comment 27 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-06 12:55:46 UTC
sparc stable.
Comment 28 Luke Macken (RETIRED) gentoo-dev 2004-12-06 19:55:19 UTC
GLSA 200412-04
Comment 29 Hardave Riar (RETIRED) gentoo-dev 2004-12-07 12:46:42 UTC
Stable on mips.