|Summary:||dev-lang/perl: Insecure tempfile handling|
|Product:||Gentoo Security||Reporter:||Luke Macken (RETIRED) <lewk>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||mcummings, perl, rac|
|Whiteboard:||A3 [glsa] lewk|
|Package list:||Runtime testing required:||---|
Description Luke Macken (RETIRED) 2004-10-04 15:38:49 UTC
Problem description: Trustix Security Engineers identified that all these packages had one or more script(s) that handled temporary files in an insecure manner. While it is not believed that any of these holes could lead to privilege escalation, it would be possible to trick the scripts to overwrite data writable by the user that invokes the script. These problems can only be exploited by local users, and they would have to wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) 2004-10-04 15:39:16 UTC
Created attachment 41099 [details, diff] mysql-4.0.18-tempfile.patch Trustix patch to fix tempfile insecurities.
Comment 2 Luke Macken (RETIRED) 2004-10-04 15:40:05 UTC
perl herd, please verify and apply patch if necessary. perl-5.8.4-r1 looks to be vulnerable to this issue.
Comment 3 Michael Cummings (RETIRED) 2004-10-05 13:42:03 UTC
Lewk - any hints on which files in the perl distribution tree...? Maybe a url for the advisory...?
Comment 4 Luke Macken (RETIRED) 2004-10-05 13:53:20 UTC
Created attachment 41172 [details, diff] perl-5.8.3-openwall-1.3-tempfile.patch Sorry, I added the wrong patch. Here is the Trustix patch to fix tempfile vulnerabilities in perl-5.8.3, but 5.8.4-r1 looks to have the same issues.
Comment 5 Luke Macken (RETIRED) 2004-10-07 18:08:21 UTC
Any updates on whether or not you guys want this patch?
Comment 6 Thierry Carrez (RETIRED) 2004-10-09 03:27:01 UTC
Perl team, please comment/apply patch.
Comment 7 Michael Cummings (RETIRED) 2004-10-09 05:07:36 UTC
We are reviewing. Most of it is silly - changing /tmp to /var/tmp - when there is no security advantage whatsoever in it.
Comment 8 Thierry Carrez (RETIRED) 2004-10-09 05:37:52 UTC
There are silly parts (like the .pod changes), but the changes to /tmp/X to /var/run/X make sense... as one is world-writeable while the other is not.
Comment 9 Thierry Carrez (RETIRED) 2004-10-20 04:39:18 UTC
This is CAN-2004-0976
Comment 10 Michael Cummings (RETIRED) 2004-10-20 11:17:09 UTC
Check your tmps again. They are the same perms. There is very little of value in this patch.
Comment 11 Michael Cummings (RETIRED) 2004-10-20 11:20:33 UTC
lmcummings@sys947 ~ $ ls -al /|grep tmp drwxrwxrwt 22 root root 8192 Oct 20 14:14 tmp mcummings@sys947 ~ $ ls -al /var|grep tmp drwxrwxrwt 12 root root 4096 Oct 20 10:22 tmp Same on every bare and not so bare gentoo box I can find (5 total). There is no value to that portion of the patch, it isn't any more secure one way than the other (not to mention if you want to get all technical, /var/tmp is supposed to be reserved for temporary files that persist between boots, and why would you want your perl compile writing in there??)
Comment 12 Michael Cummings (RETIRED) 2004-10-20 11:27:04 UTC
Sorry, last comment was based on the wrong patch set:/ Still - this patch is largely worthless (sorry, but it is). Most of it involves patching inline documentation and pods. This isn't the huge security risk that you are implying, but we will attempt to look more when we/I can.
Comment 13 Thierry Carrez (RETIRED) 2004-10-20 11:58:30 UTC
If it just patches the doc, then it should not be applied. If it patches even just one tempfile vuln, then it should. I'm not implying any huge security risk to justify it needs to be quickly done. Our job is also to quickly patch small security risks.
Comment 14 Luke Macken (RETIRED) 2004-10-20 12:10:09 UTC
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136325 They are going to be using the same patch (before backporting).
Comment 15 Michael Cummings (RETIRED) 2004-10-20 13:16:38 UTC
You cannot expect perl herd to include patches like: +# XXX: The temporary file handling implemented in here is crap. It should +# be re-done making use of File::Temp. Yes, that is the sum total of the patch to CGI.pm. I am weeding out the documentation patches to be able to evalute the real parts.
Comment 16 Michael Cummings (RETIRED) 2004-10-20 13:31:01 UTC
Created attachment 42265 [details] Edited version This is what I am left after removing the documentation changes and the patches that have already gone upstream (this patch was for perl 5.8.3, I compared it to the next version up that we still support wich is 5.8.4 - and that doesn't mean that even more can be removed when compared to 5.8.5, I just haven't gotten that far). 500 lines less.
Comment 17 Luke Macken (RETIRED) 2004-10-28 13:20:07 UTC
According to other advisories, the majority of these vulnerabilities have been fixed in version 5.8.5.
Comment 18 Michael Cummings (RETIRED) 2004-10-28 17:38:37 UTC
All but a small handful were fixed by 5.8.4, and soon as I find free time, I'll confirm the remaining ones were corrected in 5.8.5 and/or the independant modules that replace them.
Comment 19 Thierry Carrez (RETIRED) 2004-11-04 02:30:46 UTC
For information, Ubuntu patched their 5.8.4 and issued the following advisory : ----------------- Ubuntu Security Notice USN-16-1 November 02, 2004 perl vulnerabilities CAN-2004-0976 Recently, Trustix Secure Linux discovered some vulnerabilities in the perl package. The utility "instmodsh", the Perl package "PPPort.pm", and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program, or building the perl package, respectively. -----------------
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-11 08:46:58 UTC
Micheal any news on this one?
Comment 21 Robert Coie (RETIRED) 2004-12-04 12:17:02 UTC
The few bits that are still relevant are added to 5.8.5-r2 and 5.8.6-r1.
Comment 22 Luke Macken (RETIRED) 2004-12-04 16:46:02 UTC
Please do not close security bugs... Arches, please mark stable.
Comment 23 SpanKY 2004-12-05 01:19:57 UTC
already done for a bunch of arches ;)
Comment 24 Markus Rothe (RETIRED) 2004-12-05 03:01:19 UTC
perl-5.8.5-r2 is now stable on ppc64
Comment 25 Bryan Østergaard (RETIRED) 2004-12-05 06:45:33 UTC
perl-5.8.5-r2 stable on alpha.
Comment 26 Karol Wojtaszek (RETIRED) 2004-12-05 13:29:19 UTC
Already marked stable on amd64
Comment 27 Gustavo Zacarias (RETIRED) 2004-12-06 12:55:46 UTC
Comment 28 Luke Macken (RETIRED) 2004-12-06 19:55:19 UTC
Comment 29 Hardave Riar (RETIRED) 2004-12-07 12:46:42 UTC
Stable on mips.