Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389839 (CVE-2011-4115) - <dev-perl/Parallel-ForkManager-1.20.0: Insecure Temporary Files (CVE-2011-4115)
Summary: <dev-perl/Parallel-ForkManager-1.20.0: Insecure Temporary Files (CVE-2011-4115)
Status: RESOLVED FIXED
Alias: CVE-2011-4115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46784/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-07 20:53 UTC by Agostino Sarubbo
Modified: 2013-10-17 09:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-07 20:53:35 UTC
From secunia security advisory at $URL:

Description:
The security issue is caused due to the application using temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 0.7.9. Other versions may also be affected.


Solution:
Restrict access to trusted users only.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2012-12-25 12:35:41 UTC
Fixed in dev-perl/Parallel-ForkManager-1.20.0
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-25 16:15:15 UTC
Arches, please test and mark stable:
=dev-perl/Parallel-ForkManager-1.20.0
Target keywords : "alpha amd64 ia64 sparc x86"
Comment 3 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-12-25 16:21:55 UTC
(In reply to comment #2)
> Target keywords : "alpha amd64 ia64 sparc x86"

Have you forgot ppc?
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-25 16:30:53 UTC
(In reply to comment #3)
> Have you forgot ppc?

No.

In case of security bugs, we stabilize only on arch which have stable keyword.
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-25 16:43:23 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-25 16:43:45 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-25 22:28:16 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-28 15:09:21 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-29 08:54:20 UTC
alpha stable
Comment 10 Sean Amoss gentoo-dev Security 2012-12-29 13:19:48 UTC
GLSA vote: yes.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2013-01-02 18:48:13 UTC
GLSA Vote: yes. Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-17 09:11:32 UTC
This issue was resolved and addressed in
 GLSA 201310-11 at http://security.gentoo.org/glsa/glsa-201310-11.xml
by GLSA coordinator Sergey Popov (pinkbyte).