Problem description: Trustix Security Engineers identified that all these packages had one or more script(s) that handled temporary files in an insecure manner. While it is not believed that any of these holes could lead to privilege escalation, it would be possible to trick the scripts to overwrite data writable by the user that invokes the script. These problems can only be exploited by local users, and they would have to wait for someone else, preferably root, to run the vulnerable scripts.
Created attachment 41099 [details, diff] mysql-4.0.18-tempfile.patch Trustix patch to fix tempfile insecurities.
perl herd, please verify and apply patch if necessary. perl-5.8.4-r1 looks to be vulnerable to this issue.
Lewk - any hints on which files in the perl distribution tree...? Maybe a url for the advisory...?
Created attachment 41172 [details, diff] perl-5.8.3-openwall-1.3-tempfile.patch Sorry, I added the wrong patch. Here is the Trustix patch to fix tempfile vulnerabilities in perl-5.8.3, but 5.8.4-r1 looks to have the same issues.
Any updates on whether or not you guys want this patch?
Perl team, please comment/apply patch.
We are reviewing. Most of it is silly - changing /tmp to /var/tmp - when there is no security advantage whatsoever in it.
There are silly parts (like the .pod changes), but the changes to /tmp/X to /var/run/X make sense... as one is world-writeable while the other is not.
This is CAN-2004-0976
Check your tmps again. They are the same perms. There is very little of value in this patch.
lmcummings@sys947 ~ $ ls -al /|grep tmp drwxrwxrwt 22 root root 8192 Oct 20 14:14 tmp mcummings@sys947 ~ $ ls -al /var|grep tmp drwxrwxrwt 12 root root 4096 Oct 20 10:22 tmp Same on every bare and not so bare gentoo box I can find (5 total). There is no value to that portion of the patch, it isn't any more secure one way than the other (not to mention if you want to get all technical, /var/tmp is supposed to be reserved for temporary files that persist between boots, and why would you want your perl compile writing in there??)
Sorry, last comment was based on the wrong patch set:/ Still - this patch is largely worthless (sorry, but it is). Most of it involves patching inline documentation and pods. This isn't the huge security risk that you are implying, but we will attempt to look more when we/I can.
If it just patches the doc, then it should not be applied. If it patches even just one tempfile vuln, then it should. I'm not implying any huge security risk to justify it needs to be quickly done. Our job is also to quickly patch small security risks.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136325 They are going to be using the same patch (before backporting).
You cannot expect perl herd to include patches like: +# XXX: The temporary file handling implemented in here is crap. It should +# be re-done making use of File::Temp. Yes, that is the sum total of the patch to CGI.pm. I am weeding out the documentation patches to be able to evalute the real parts.
Created attachment 42265 [details] Edited version This is what I am left after removing the documentation changes and the patches that have already gone upstream (this patch was for perl 5.8.3, I compared it to the next version up that we still support wich is 5.8.4 - and that doesn't mean that even more can be removed when compared to 5.8.5, I just haven't gotten that far). 500 lines less.
According to other advisories, the majority of these vulnerabilities have been fixed in version 5.8.5.
All but a small handful were fixed by 5.8.4, and soon as I find free time, I'll confirm the remaining ones were corrected in 5.8.5 and/or the independant modules that replace them.
For information, Ubuntu patched their 5.8.4 and issued the following advisory : ----------------- Ubuntu Security Notice USN-16-1 November 02, 2004 perl vulnerabilities CAN-2004-0976 Recently, Trustix Secure Linux discovered some vulnerabilities in the perl package. The utility "instmodsh", the Perl package "PPPort.pm", and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program, or building the perl package, respectively. -----------------
Micheal any news on this one?
The few bits that are still relevant are added to 5.8.5-r2 and 5.8.6-r1.
Please do not close security bugs... Arches, please mark stable.
already done for a bunch of arches ;)
perl-5.8.5-r2 is now stable on ppc64
perl-5.8.5-r2 stable on alpha.
Already marked stable on amd64
sparc stable.
GLSA 200412-04
Stable on mips.
